Security Services in a Software Defined Control System

ABSTRACT

A software defined (SD) process control system (SDCS) includes a control container having contents which are executable during run-time of the process plant to control at least a portion of an industrial process. The SDCS also includes a security service associated with the control container and including contents which define one or more security conditions. The security service executes via a container on a compute node of the SDCS to control access to and/or data flow from the control container based on the contents of the security container.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to and the benefit of U.S. ProvisionalPatent Application 63/211,535 filed on Jun. 16, 2021 and entitled“Software Defined Process Control System for Industrial Process Plants,”the entire disclosure of which is hereby incorporated by reference.

TECHNICAL FIELD

The present application relates generally to industrial process controlsystems of industrial process plants and, more particularly, toindustrial process control systems that are software defined.

BACKGROUND

Current distributed industrial process control systems, like those usedin chemical, petroleum, industrial or other process plants tomanufacture, refine, transform, generate, or produce physical materialsor products, typically include one or more process controllerscommunicatively coupled to one or more field devices via physical layersthat may be analog, digital or combined analog/digital buses, or thatmay include one or more wireless communication links or networks. Thefield devices, which may be, for example, valves, valve positioners,switches and transmitters (e.g., temperature, pressure, level and flowrate sensors), are located within the process environment of theindustrial process plant (which is interchangeably referred to herein asa “field environment” or a “plant environment” of the industrial processplant), and generally perform physical process control functions such asopening or closing valves, measuring process and/or environmentalparameters such as flow, temperature or pressure, etc. to control one ormore processes executing within the process plant or system. Smart fielddevices, such as the field devices conforming to the well-knownFOUNDATION® Fieldbus protocol may also perform control calculations,alarming functions, and other control functions commonly implementedwithin the controller. The process controllers, which are also typicallylocated within the plant environment, but may be located in a back-end,protected environment associated with the plant, receive signalsindicative of process measurements made by the field devices and/orother information pertaining to the field devices and execute a controlroutine or application that runs, for example, different control moduleswhich utilize different control algorithms make process controldecisions, generate process control signals based on the receivedinformation and coordinate with the control modules or blocks beingperformed in the field devices, such as HART®, WirelessHART®, andFOUNDATION® Fieldbus field devices.

Other types of field devices may include, for example, spectrometricdevices which may be used for quality control and purity verification,e.g., in specialty chemical and pharmaceutical process plants. Examplesof spectrometric field devices include NIR (Near-infrared), UV-VIS(ultraviolet-visible), and Raman spectrometers, to name a few.Spectrometric field devices may be controlled or managed by controllersor device managers which typically instruct the spectrometric deviceswhen to collect data, when to transmit collected data, etc.

I/O devices disposed between the field devices and the controllersenable communications therebetween. For example, control modules in aprocess controller send the control signals to various differentinput/output (I/O) devices, which then send these control signals overspecialized communication lines or links (communication physical layers)to the actual field devices to thereby control the operation of at leasta portion of the process plant or system, e.g., to control at least aportion of one or more industrial processes (e.g., physical processes)running or executing within the plant or system. In another example,spectrometric managers or controllers transmit instructions to variousI/O devices, which then send the instructions via the specializedcommunication lines or links to physical spectrometric devices disposedin the industrial process plant. Responsive to the instructions, thespectrometric devices transmit collected data to themanagers/controllers and/or to other recipient devices in the processcontrol system via a similar reverse route through the I/O devices. TheI/O devices, which are also typically located within the plantenvironment, are generally disposed between a controller and one or morefield devices, and enable communications there-between, e.g., byconverting electrical signals into digital values and vice versa.Different I/O devices are provided to support field devices that usedifferent specialized communication protocols. More particularly, adifferent I/O device is provided between a controller and each of thefield devices that uses a particular communication protocol, such that afirst I/O device is used to support HART field devices, a second I/Odevice is used to support Fieldbus field devices, a third I/O device isused to support Profibus field devices, etc. Field devices, controllers,and I/O devices are generally referred to as “process control devices,”and are generally located, disposed, or installed in a field environmentof a process control system or plant.

Still further, information from the field devices and their respectivecontrollers is usually made available through the controllers over adata highway or communication network to one or more other hardwaredevices, such as operator workstations, personal computers or computingdevices, data historians, report generators, centralized databases, orother centralized administrative computing devices that are typicallyplaced in control rooms or other locations away from the harsher and/orhazardous field environment of the plant, e.g., in a back-endenvironment of the process plant. Each of these hardware devicestypically is centralized across the process plant or across a portion ofthe process plant. These hardware devices run applications that may, forexample, enable an operator to perform functions with respect tocontrolling a process and/or operating the process plant, such aschanging settings of the process control routine, modifying theoperation of the control modules within the controllers or the fielddevices, viewing the current state of the process, viewing alarmsgenerated by field devices and controllers, simulating the operation ofthe process for the purpose of training personnel or testing processcontrol software, keeping and updating a configuration database, etc.The data highway utilized by the hardware devices and processcontrollers may include a wired communication path, a wirelesscommunication path, or a combination of wired and wireless communicationpaths, and typically uses a packet based communication protocol andnon-time sensitive communication protocol, such as an Ethernet or IPprotocol.

As an example, the DeltaV™ control system, sold by Emerson ProcessManagement, includes multiple applications stored within and executed bydifferent devices located at diverse places within a process plant. Aconfiguration application, which resides in one or more workstations orcomputing devices, enables users to create or change process controlmodules and to download these process control modules via a data highwayto dedicated distributed controllers. Typically, these control modulesare made up of communicatively interconnected function blocks, which maybe objects in an object-oriented programming protocol that performfunctions within the control scheme based on inputs thereto and thatprovide outputs to other function blocks within the control scheme. Theconfiguration application may also allow a configuration engineer tocreate or change operator interfaces that are used by a viewingapplication to display data to an operator and to enable the operator tochange settings, such as set points, within the process controlroutines. Each dedicated controller and, in some cases, one or morefield devices, stores and executes a respective controller applicationthat runs the control modules assigned and downloaded thereto toimplement actual process control functionality. The viewingapplications, which may be executed on one or more operator workstations(or on one or more remote computing devices in communicative connectionwith the operator workstations and the data highway), receive data fromthe controller application via the data highway and display this data toprocess control system designers, operators, or users using the userinterfaces, and may provide any of a number of different views, such asan operator's view, an engineer's view, a technician's view, etc. A datahistorian application is typically stored in and executed by a datahistorian device that collects and stores some or all of the dataprovided across the data highway while a configuration databaseapplication may run in a still further computer attached to the datahighway to store the current process control routine configuration anddata associated therewith. Alternatively, the configuration database maybe located in the same workstation as the configuration application.

As distributed industrial process control systems have evolved overtime, different hardware, communication, and networking technologieshave been developed and added. Consequently, present day process controlsystems typically include a myriad of inflexible and hardware-centricdevices, such as dedicated operator consoles, configuration stations,purpose-built controllers, and I/O cards, to name a few. This slew ofdifferent types of hardware devices within a process control systemnecessitates multiple levels of configuration and exposure of theunderlying system to the user, and typically translates to increasedcost of initial engineering efforts and increased cost to perform changemanagement. Further, process plant installations and expansions areeasily subject to cost overruns and supply-chain delays due to theirdependence on purpose-built hardware.

The information technology (IT) sector suffers from similar issues,although in a more generalized sense. Within the IT sector, recenttrends include abstracting layers of infrastructure, including physicalhardware requirements, away from user-bearing business logic so as toallow for flexibility of hardware installation. Typically, in ITsystems, IT administrators design, dictate, or otherwise set forth thehardware requirements which are deemed to be needed to implement thetarget user-bearing business logic, and IT administrators adjusthardware platform configurations and utilizations when business logicneeds change.

SUMMARY

An industrial, software defined process control system (SDCS) provides anovel architecture for a process control system of an industrial processplant which, to a large extent, decouples software and hardware of theprocess control system. Generally speaking, the business logic ofprocess control system automation is implemented as logical abstractionson top of software and hardware computer resources. The management ofthese resources for industrial process control may be implemented in ahyper-converged computer system infrastructure environment, in which thesoftware defined (SD) components or elements are managed and distributedby the software defined process control system using some or all of thetechniques described herein. Advantageously, the software definedprocess control system dynamically and automatically manages softwareand hardware resources to support dynamic demands of process controlsystem business logic in view of dynamically occurring conditions of theprocess control system and industrial process plant (e.g., responsivelyand/or predictively) during run-time of the software defined processcontrol system.

The software defined process control system (SDCS) may include asoftware defined networking layer, a software defined application layer,and a software defined storage layer which are supported by a physicallayer. The physical layer may or may not be included in the SDCS.Generally speaking, the physical layer includes hardware interfaces(e.g., one or more network interfaces or ports) via which the SDCS iscommunicatively connected to the field environment of the industrialprocess plant and physical devices or physical components disposedtherein. For example, the hardware interfaces may include input/output(I/O) interfaces. The physical layer may also include routingcomponents, which may be implemented via software and/or hardware, toroute data to and from specific interface ports. In some embodiments,the SDCS includes the physical layer, and in some embodiments, the SDCSexcludes the physical layer and is communicatively connected to anotherset of computing devices or computing platform which provides thephysical layer.

The software defined networking layer of the SDCS includes a computingplatform including one or more data computing clusters, which are atleast partially, if not fully, internetworked. Each cluster may includeone or more nodes which are at least partially networked to each othervia respective networking resources, and each node includes a respectiveset of processor and/or processor core resources and memory resources.For example, a node may be implemented on a computing device or aserver. A computing device or server may include multiple processors,and a processor may include multiple cores.

At the SD networking layer, a software defined operating system monitorsand administrates the creation of components of the software definedapplication layer and the application layer components' usage orutilization (both singularly and collectively) of the available (andpossibly dynamically changing hardware and software resources) of thecomputing platform nodes during start up and run-time of the SDCS. Forexample, the SD operating system assigns application layer components toexecute on particular nodes of the computing platform, and/or to utilizeparticular processor resources, processing core resources, and/or memoryresources of the nodes of the computing platform. Generally speaking,the SD operating system of the SD networking layer provides supportservices, some of which are consumed by SD application layer components,which allocate, assign, re-allocate, re-assign, load-balance, etc. theSD application layer components to and among various nodes (and, in somecases, to various processing and/or memory resources of a specific node)according to process control system business logic, timing, andperformance requirements, in coordination with monitoring and managingthe hardware and software resources of the nodes to support the softwaredefined application layer components. Additionally, the software definednetworking layer communicatively couples and manages the networking ordelivery of data between software defined application layer componentsand their respective endpoints, which may be other software definedapplication layer components, devices disposed in the process plantfield environment, user interface devices, external systems, etc.

The software defined application layer includes process control systembusiness logic, which is typically implemented via containers, virtualmachines, or other suitable encapsulated execution environments. Forexample, process control system business logic may be implemented as aset of application layer services, where application layer services maybe respectively configured for specific sets of business logic, and eachinstance of a configured service may execute in a separate encapsulatedexecution environment. For example, SDCS application layer services mayinclude process control controllers, user interfaces, diagnostics,analytics, I/O networking, and historians, to name a few. SD applicationlayer services may be configured with control routines, tags, deviceidentifiers, device signal identifiers, parameters, values, etc. to formconfigured instances of services, each of which may execute in arespective encapsulated execution environment (e.g., configuredcontainers, virtual machines, etc.). The configured encapsulatedexecution environments are assigned or allocated (and in some cases,re-assigned or re-allocated based on dynamically occurring conditionswithin the industrial process plant) by the SD networking layer toexecute on respective software and/or hardware resources of the nodes ofthe computing platform.

The software defined storage layer includes process control system datastorage which may be utilized by the software defined application layer.Similar to the software defined application layer, the software definedstorage layer provides logical storage entities or locations for use bythe applications of the SD application layer, and the logical storageentities are assigned and/or allocated (and in some cases, re-assignedand/or re-allocated) by the SD networking layer to various resources ofthe nodes of the computing platform. Further, the SD networking layermay provide redundancy of various logical storage entities, if desired.

A method and system for controlling an industrial process control plantuses the SDCS application layer services to facilitate process controlusing software defined controllers, software defined input/outputresources, software defined storage, and/or software defined networking.The SDCS application layer includes one or more containers executing oneor more services. An orchestrator operates as part of a hyper convergedinfrastructure to control the instantiation of the one or morecontainers, and to facilitate load balancing and fault tolerance byduplication and/or moving (e.g., re-instantiating) containers betweendifferent hardware resources. For example, individual containers,executing respective services, may be moved between hardware resourcesas hardware resources (e.g., processors, processor cores, memorydevices, network capacity) become loaded, in order to ensure that allservices are operating nominally. As another example, multiple copies ofa specific container (i.e., multiple copies of a service serving aspecific portion of the process plant) may be instantiated on differenthardware resources in order to ensure that if a single copy of thecontainer becomes unstable or unavailable, or a hardware resource fails,control can shift to another copy of the container without any (or withonly minimal, milliseconds, for example) time required to ensurecontinuous control of the process. The services implemented in thismanner, and controlled by the orchestrator, may include I/O serverservices, controller services, historians, subsystems (e.g., batchcontrol, continuous control, event control, alarm subsystems, diagnosticsubsystems, etc.), network services (e.g., software firewalls), and anyother containerized service in the SDCS. The hardware resources overwhich hardware diversity may be implemented between identical containersinclude data clusters, power supplies, server nodes, processors,processor cores, memory devices, etc., and can allow for the dynamicaddition or removal of hardware resources as necessary or required.

Another aspect of the presently described system includes nestedcomputing containers operating within the SDCS. While each of thecontainers instantiated on a computing node is an isolated executingenvironment executing within the operating system of the computing node,a given container may be instantiated within another container and/ormay have one or more containers instantiated therein. As such, it ispossible, for example, to replicate physical or logical hierarchieswithin the process plant, thereby duplicating in the setup of the SDCSthe physical and logical arrangements of elements within the processplant. For instance, plant areas, units within areas, and processmodules within units may be replicated in nested containers of the SDCS.

Still further, in the SDCS described herein, containers may be pinned toother elements of the process control environment. By pinning acontainer to another element of the process control system or plant, aconfiguration engineer or operator may ensure that certain parametersare met, notwithstanding some autonomy enjoyed by the orchestrator. Forexample, containers may be pinned to compute resources, to storageresources, to network resources, to power supply resources, and thelike, in order to ensure that certain aspects of fault tolerance aremaintained, even though containers may be “moved” for load balancingpurposes (e.g., a container may remain on compute resources coupled to aspecific power supply, even though the container may be moved betweencompute resources that are coupled to the power supply). Containers mayalso be pinned to other containers or groups of containers (so that theyare moved/instantiated together), whether nested or not, or may bepinned to hardware in the process control plant itself (e.g., so that aparticular controller container is associated with a specific unit ofprocess control hardware).

In example operation, an I/O server service of the SDCS interfaces withmultiple containerized controller services each implementing the samecontrol routine to control the same portion of the same plant. The I/Oserver service may provide the same controller inputs to each of thecontainerized controller services (e.g., the controller outputsrepresenting measurements that have been obtained by field devices andtransmitted by the field devices to the I/O server service). Eachcontainerized controller service executes the same control routine togenerate a set of controller outputs. The I/O server service receiveseach set of controller outputs and forwards an “active” set ofcontroller outputs to the appropriate field devices. The sets of outputsfrom the other controller services may not be transmitted to the fielddevices. The I/O server service and other services in the system, suchas an orchestrator service, may continuously evaluate performance andresource utilization in the control system, and may dynamically activateand deactivate controller services as appropriate to optimizeperformance. If desired, the I/O server service may be containerized.Further, more than one instance of the same containerized I/O serverservice may exist. In such an implementation, a single one of theseinstances may be considered “active,” acting as a fully functionalintermediary for I/O traffic between field devices and containerizedcontroller services. The “inactive” I/O server services may receive thesame I/O traffic received by the “active” I/O server service and mayimplement the same logic on the I/O traffic. However, if desired, the“inactive” I/O server services do not forward the I/O traffic; or ifthey do, it is not received and acted on by the target service or device(e.g., a network switch may receive the traffic and determine it is“inactive” I/O traffic, and thus might not forward it to it target).

Containerized controller services and containerized I/O server servicesmay be distributed across physical resources at a plant or elsewhere inany desired fashion. Further, if desired, any one or more of theimplemented containers are not permanently fixed or pinned to anyparticular computer cluster or node/server they happen to be executingon at any given time. The containers may be dynamically (e.g., in ornear real-time, during execution) instantiated, deleted, andre-instantiated at different computers when desired to balance computingand network loads and to mitigate computational or networkinginefficiencies (e.g., when a given physical resource becomes overlyburdened computationally or by network traffic). Further, the totalinstances of a given container can be dynamically reduced or increasedas needed, and any one of these instances (e.g., each implementing thesame controller service) may activated or deactivated as needed. This“juggling” between containers may be helpful if the computational andnetworking workloads for the physical resources are highly variable.Each controller service may be containerized in its own dedicatedcontainer, thereby providing a relatively isolated, consistent, andpredictable environment within which each controller service isimplemented, regardless of the broader software environment present onthe node implementing the containers. For example, a container mayinclude software dependencies and software libraries needed for a givencontroller service. Without containers, it might be necessary toproperly configure every single node on which the controller servicemight run in order to ensure consistent environments for the controllerservice. And if a given node needs to be capable of implementing variousdifferent types of services (each of which may have differentenvironmental requirements), ensuring proper configuration of the nodecan become complex. By contrast, the described controller servicecontainers enable each controller service to easily be instantiated atany given node and to easily be moved between nodes/servers or computingclusters (e.g., by the I/O server service).

Another aspect of the presently described system includes securityservices within the SDCS. At the SD networking layer, an SD networkingservice may administer and manage the logical or virtual networkingutilized by the logical process control system, which may be implementedby the SD networking service across the physical nodes. The SDnetworking service may deploy and manage instances of networkappliances, such as virtual routers, virtual firewalls, virtualswitches, virtual interfaces, virtual data diode, etc., and instances ofnetwork services, such as packet inspection services, access controlservices, authorization services, authentication services, encryptionservices, certificate authority services, key management services, etc.,in the SDCS.

For example, the SD networking service may deploy a service forrole-based authorization within the SDCS. When a user requestsauthorization to access a service (e.g., a control service) within theSDCS, the authorization service may determine an authorization level ofthe user based on the request and determine whether the user isauthorized to access the other service. More specifically, theauthorization service may determine a minimum threshold authorizationlevel for accessing the control service, and determine whether theuser's authorization level meets or exceeds the minimum thresholdauthorization level. If the user is unauthorized, the authorizationservice may prevent access to the control service.

The SD networking service may also deploy a certificate authorityservice. The certificate authority service may generate digitalcertificates for physical or logical assets for authenticating thephysical or logical assets. The certificate may indicate that thecertificate authority service verified the identity of the physical orlogical asset, so that the identity of the physical or logical assetdoes not need to be verified each time the physical or logical assetcommunicated with services or nodes of the SDCS.

The SDCS may also include a discovery service that executes via acontainer on a compute node of the SDCS. When a physical or logicalasset joins a network in the process plant, the physical or logicalasset announces its presence. The discovery service then generates andstores a record of the identity, capabilities, and/or location of eachphysical or logical asset in the process plant which may be utilizedduring run-time of the process plant to control at least a portion ofthe industrial process. In this manner, the discovery service may assistin the commissioning of physical assets within the process plant, suchas field devices as well as commissioning logical assets such ascontainers, services, and microservices. Physical or logical assets inthe SDCS may be commissioned automatically upon discovery without manualinput.

The discovery service may also perform fault recovery when the record ofthe physical or logical assets in the process plant is corrupted ordestroyed by broadcasting a request to each of the physical or logicalassets in the network to announce their presence. In this manner, therecord of the physical or logical assets may be recovered automaticallywithout having to manually enter information about each of the physicalor logical assets in the process plant.

Furthermore, unlike current process control data exchange standards suchas OPC where the system at most identifies the capabilities that areannounced by a physical or logical asset (also referred to herein as“primary variables”), the discovery service described herein isconfigured to automatically infer additional capabilities of thephysical or logical asset which are not announced to the discoveryservice when the physical or logical asset is discovered (also referredto herein as “contextual variables”). The additional capabilities mayinclude additional parameters or services provided by the physical orlogical asset or services configured to communicate with the physical orlogical asset. The discovery service may then provide an indication ofthe capabilities of the physical or logical asset to another node orservice in the SDCS requesting information about the physical or logicalasset. In this manner, the discovery service may store a more completerecord of the physical or logical assets in the process plant and theirrespective capabilities than previous process control systems.Accordingly, nodes and services in the SDCS can obtain detailedinformation regarding the capabilities of the physical or logical assetsin the process plant from the discovery service without having to pollthe physical or logical assets directly to identify additionalcapabilities.

Still further, to assist a user in visualizing the run-time operation ofthe SDCS, a visualization service interfaces with the orchestrator and aconfiguration database to obtain configuration data and current run-timeoperational data defining the currently established or operatinginterrelationships between various logical elements of the controlsystem, such as control and subsystem containers, both with each otherand with physical elements in the system. The visualization service maycreate any number of different user displays that illustrate theserelationships (as currently configured and operating in the SDCS) andthat also provide key performance or health parameters for one or moreof the displayed logical and/or physical elements. For example, thevisualization service may create a run-time operational hierarchy thatillustrates, in a hierarchical view, the manner in which various logicalelements, such as control containers and sub-units thereof, are nestedwithin one another and are pinned to one another. This hierarchy mayalso illustrate the manner in which various logical elements are pinnedto or are simply being executed in or assigned to various physicalelements of the control system. The hierarchy display may also enable auser to move or dynamically reassign various logical elements to otherlogical elements or to physical elements within the system. Stillfurther, the visualization service may create and present a display thatillustrates physical hardware (e.g., servers, nodes, compute clusters,processors, etc.) within the control system and the logical elements(e.g., control containers, third party containers, subsystem containers,etc.) that are currently being executed on those physical elements. Thedisplay may also include performance or health indices indicatingvarious performance and/or health measures for the physical and logicalelements within the display. In other cases, the visualization servicemay create and present a display that illustrates various logicalelements and the manner in which these logical elements are nested orpinned to one another, as well as the physical elements currently beingused to execute each of the logical elements during the current run-timeof the control system. These displays may also provide or indicatevarious performance measures for the different logical and physicalelements displayed therein to enable a user to easily see or visualizethe current operation and the operational health of the control systemor various portions thereof.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a block diagram of an example physical industrial processplant which includes a software defined control system (SDCS).

FIG. 2 depicts a block diagram of an example software defined controlsystem, which may be included in the industrial process plant of FIG. 1.

FIG. 3 is a block diagram illustrating principles of fault tolerance andload balancing.

FIG. 4A is a block diagram conceptually illustrating load balancing.

FIG. 4B is a block diagram illustrating the implementation of prioritycontainers and of load balancing on a container level.

FIG. 5A is a block diagram illustrating an implementation of faulttolerance on a container level.

FIG. 5B is a block diagram illustrating an implementation of faulttolerance on a server level.

FIG. 6 is an example data structure maintained by an orchestrator totrack instantiated services and containers.

FIG. 7 is a block diagram depicting a software defined storage service.

FIG. 8 is a block diagram illustrating logical and physical hierarchicalarrangement of a process plant.

FIG. 9 is a block diagram illustrating an example implementation ofnested containers in a process control system.

FIG. 10 is a block diagram illustrating the use of nested containers forfault tolerance and load balancing.

FIG. 11 is a block diagram illustrating individually instantiatedcontainers in a nested hierarchical system.

FIG. 12 is a block diagram depicting another example of containernesting.

FIG. 13 is a block diagram illustrating a first example of containerpinning in a process control system.

FIG. 14 is a block diagram illustrating a second example of containerpinning in a process control system.

FIG. 15 is a block diagram of an I/O network including containerizedservices for implementing control of portions of areas of the plantshown in FIG. 1 .

FIG. 16 is a block diagram of a computer cluster, including physicalresources (e.g., computers, servers, networking equipment, etc.), onwhich any one or more of the various containers, microcontainers,services, and/or routines described herein may be implemented,dynamically assigned, and load balanced to optimize computer resourceusage and performance.

FIG. 17 depicts an example embodiment of a physical server on whichcontainerized services, such as those shown in FIGS. 15 and 16 , may beimplemented.

FIG. 18 is a flow chart of a method for implementing an I/O serverservice, such as one of those shown in FIGS. 15-17 .

FIG. 19 is a flow chart of a method for evaluating and transitioningbetween containerized controller services, such as one of those shown inFIGS. 15-17 .

FIG. 20 depicts a block diagram of example containers, services, and/orsubsystems included in the SDCS of FIG. 1 which are related to networksecurity.

FIG. 21 depicts another block diagram of example containers, services,and/or subsystems included in the SDCS of FIG. 1 which are related tonetwork security.

FIG. 22 depicts a block diagram of an example container configured toexecute a virtual router within the SDCS of FIG. 1 .

FIG. 23 depicts a block diagram of example virtual firewalls eachassociated with a respective control service, and including a set offirewall rules specific to the associated control service.

FIG. 24 depicts a block diagram of an example container configured toexecute a virtual controller and including a nested container configuredto execute a security service for the virtual controller.

FIG. 25 depicts another block diagram of an example container configuredto execute a virtual router within the SDCS of FIG. 1 , where thevirtual router includes nested containers configured to execute avirtual field gateway, a virtual data diode, and a virtual edge gateway,respectively.

FIG. 26 depicts a block diagram of an example container configured toexecute a certificate authority service.

FIG. 27 depicts a block diagram of example containers, services, and/orsubsystems included in the SDCS of FIG. 1 which are configured toexecute authentication and authorization services.

FIG. 28 depicts a block diagram of an example container configured toexecute a storage service.

FIG. 29 depicts a flow diagram representing an example method ofsecuring a process control system of a process plant.

FIG. 30 depicts a flow diagram representing an example method forrole-based authorization in a software defined process control system(SDCS).

FIG. 31 depicts a flow diagram representing an example method forgenerating a digital certificate by a certificate authority service forauthenticating a physical or logical asset of a process plant.

FIG. 32 depicts a flow diagram representing an example method forauthenticating a physical or logical asset of a process plant.

FIG. 33 depicts a block diagram of example containers, services, and/orsubsystems included in the SDCS of FIG. 1 which are related todiscovery.

FIG. 34 depicts a block diagram of an example container configured toexecute a discovery service.

FIG. 35 depicts a block diagram of an example container configured toexecute a context dictionary service.

FIG. 36 depicts a block diagram of an example context which may beincluded with a context dictionary container.

FIG. 37 depicts a flow diagram representing an example method forproviding discovery software as a service in a process plant.

FIG. 38 depicts a flow diagram representing an example method forinferring information regarding a physical or logical asset of a processplant using a context dictionary.

FIG. 39 depicts a flow diagram representing an example method formapping a set of capabilities to each type of physical or logical assetin a process plant and determining the capabilities of a discoveredphysical or logical asset.

FIG. 40 depicts a flow diagram representing an example method for faultrecovery of discovered items in a process plant.

FIG. 41 depicts a flow diagram representing an example method forautomatically commissioning an SDCS.

FIG. 42 depicts a diagram of a visualization service or utility,connected to a configuration database and an orchestrator, which may beused to provide current logical and physical configuration and runtimeinformation to a user, in addition to various performance indicatorsassociated with logical and physical elements of the system.

FIG. 43 depicts a first screen display that may be presented by thevisualization service of FIG. 42 to illustrate, in a hierarchical view,the configured and runtime interactions of logical and physical elementsin a control system.

FIG. 44 depicts a second screen display that may be presented by thevisualization service of FIG. 42 to illustrate configured and runtimeinteractions of logical elements currently implemented on a particularset of physical elements in the control system.

FIG. 45 depicts a third screen display that may be presented by thevisualization service of FIG. 42 to illustrate configured and runtimeinteractions of physical elements associated with a particular orselected set of logical elements in the control system.

FIG. 46 depicts a fourth screen display that may be presented by thevisualization service of FIG. 42 to illustrate configured and runtimeinteractions of logical and physical elements in the control system inaddition to various performance indicators for each element.

DETAILED DESCRIPTION

FIG. 1 depicts a block diagram of an example physical industrial processplant 10 including an example software defined control system (SDCS)100. The process plant 10 includes a field environment 12 (e.g., theprocess plant floor) communicatively connected to a back-end environment15. The back-end environment 15 of the plant 10 is typically shieldedfrom the harsh conditions and materials of the field environment 12, andmay include, for example, a separate room, building, or location on siteproximate to the field environment 12, any number of devices which arelocated remotely from the plant site, and/or any number of applicationswhich execute remotely on devices or systems which are located remotelyfrom the plant site. The back-end environment 15 includes the SDCS 100and typically also includes one or more physical work stations and/oruser interfaces 20 a-20 e which are communicatively connected to theSDCS 100. For example, one or more operator and/or configurationworkstations 20 a may be located on-site at the plant 10 in a shieldedroom and communicatively connected with the SDCS 100 via a wired data orcommunication link 22 (e.g., Ethernet or other suitable wired link), andone or more operator tablets 20 b utilized by on-site personnel may becommunicatively connected to the SDCS 100 via a wireless link 25 (e.g.,Wi-Fi, WirelessHART, cellular communication system link such as 4G LTE,5G, or 6G, or some other type of suitable wireless link) and wired link22. Other user interfaces 20 c-20 e associated with the process plant 10may be disposed externally to the plant 10 and may communicativelyconnect to the SDCS 100 via last mile links 30 and/or wireless 32 links,and/or via one or more networks private and/or public networks 35. Forexample, laptops 20 c, mobile devices 20 d, and/or process plant-relatedapplications executing in laptops 20 c, mobile devices 20 d, and/orvehicle systems 20 e may be communicatively connected to SDCS 100 viarespective wireless links 32, one or more public and/or private data orcommunication networks 35, and a direct or last-mile link 30 to the SDCS100 (which typically, but not necessarily, is a wired link). The remoteuser interfaces and devices 20 c-20 e may be utilized, for example, byplant operators, configuration engineers, and/or other personnelassociated with the industrial process plant 10 and components thereof.

As shown in FIG. 1 , the SDCS 100 communicatively connects to componentsof the field environment 12 via an I/O (input/output) interface systemor gateway 40. Generally speaking, the field-facing portion of the I/Ointerface system 40 includes a set of physical ports or physicalhardware interfaces via which various types of I/O data are deliveredto/from components disposed in the field environment, and which connectwith and/or support various types of process plant communication linksor data links 42-58 via which the I/O data is delivered. The I/Ointerface system 40 converts and/or routes physical I/O received vialinks 42-58 from components of the field environment 12 to recipientcomponents of the SDCS 100 (not shown in FIG. 1 ), and conversely theI/O interface system 40 converts communications generated by the SDCS100 into corresponding physical I/O and routes the physical I/O torespective recipient components disposed within the field environment12, e.g., via corresponding links 42-58. As such, the I/O interfacesystem 40 is interchangeably referred to herein as an “I/O gateway” 40.In the embodiment illustrated in FIG. 1 , the SDCS 100 and at least aportion of the I/O gateway 40 are implemented using a common set ofhardware and software computing resources, e.g., a same computingplatform. That is, in the embodiment illustrated in FIG. 1 , the SDCS100 and at least a portion of the I/O gateway 40 (e.g., the portions ofthe I/O gateway 40 which perform converting, routing, switching, etc.)share at least some computing hardware and software resources; however,the I/O gateway 40 further includes the physical I/O ports or I/Ohardware interfaces to the data or communication links 42-58. In otherembodiments, though, the SDCS 100 and the I/O gateway 40 may beimplemented on separate, communicatively connected computing platforms,each of which utilizes a separate set of hardware and software computingresources, e.g., as is depicted in FIG. 2 .

Turning now to the field environment 12, FIG. 1 depicts various physicalcomponents and/or devices (e.g., process control devices, field devices,network elements, etc.) that are disposed, installed, and interconnectedtherein which operate to control the industrial process (e.g., thephysical process) during run-time of the plant 10, e.g., by collectivelycommunicating and physically operating to transform raw or inputmaterials into desired products or output materials. The various fielddevices 60, 62, 70, 80, 90 and other field components 68, 72, 82 maycommunicate process I/O to/from the SDCS 100 via the I/O gateway 40 byutilizing different types of process I/O.

For example, one or more wired field devices (“FDs”) 60 may be disposedin the field environment 12 and may communicate using standard (e.g.,traditional) wired physical I/O types such as Analog Output (AO), AnalogInput (AI), Discrete Output (DO), Discrete Input (DI), etc. Wired fielddevices 60 may include, for example, valves, actuators, pumps, sensors,etc., which generate data signals and receive control signals to therebycontrol their respective physical operations in the plant 10, as well asto provide status, diagnostic, and other information. Wired fielddevices 60 may be communicatively connected with the I/O gateway 40 viawired links 42 using any known industrial automation wired protocol suchas 4-20 mA, Fieldbus, Profibus, Modbus, HART, etc. As such, the I/Ogateway 40 may include respective I/O cards or devices (not shown) whichservice the communications received and sent via links 42. Additionallyor alternatively, in some configurations, one or more wired fielddevices 60 may be directly connected to a separate, respective I/O cardor device 61, and communications to/from the separate I/O cards ordevices 61 may be delivered from/to the I/O gateway 40 via a datahighway 58, such as an Ethernet or other suitable high bandwidthtransport medium.

The field environment 12 may include one or more wireless field devices62, some of which may be intrinsically wireless, and some of which maybe wired field devices which are connected to respective wirelessadaptors. Wireless field devices and adaptors 62 may communicate via anyknown industrial automation wireless protocol, such as WirelessHART, ora general purpose wireless protocol, such as Wi-Fi, 4G LTE, 5G, 6G, etc.via respective wireless links 65. One or more wireless gateways 68 mayconvert the wireless signals received from wireless devices 62 via thewireless links 65 into wired signals that are delivered to the I/Ogateway 40 via one or more links 48, and may convert signals receivedfrom the I/O gateway 40 via links 48 into wireless signals and transmitthe wireless signals to the appropriate recipient devices 62 viawireless links 65. Thus, the links 48 may support a wireless I/O type,and the I/O gateway 40 may include respective wireless I/O cards ordevices (not shown) which service the communications sent and receivedvia the links 48. In an embodiment (not shown in FIG. 1 ), at least someof the links 48 may be directly connected to a respective wireless I/Ocard or device, which in turn may be communicatively connected to theI/O gateway 40 via a data highway (e.g., in a manner similar to wireddevices 60 and I/O cards/devices 61), where the data highway may beincluded in the data highway 58 or may be a different data highway.

The process plant 10 may include a set of field devices 70 which arecommunicatively connected to the I/O gateway 40 via respective terminals72, one or more remote or marshalling I/O cabinets or systems 75 and oneor more links 50. That is, each of the field devices 70 may communicateusing a standard or traditional wired I/O type (e.g., AO, DO, AI, DI,etc.) to the remote I/O marshalling system 75 via a correspondingphysical connection and terminal 72. One or more processors 78 of theremote I/O system 75 may serve as a local switch of the remote I/Osystem 75, and thus may switch or route communications to/from thephysical terminals 72 (and their respective connected field devices 70)and the I/O interface system 40, e.g., via links 50. Accordingly, thelinks 50 may support a marshalled or remote I/O type, and the I/Ogateway 40 may include respective I/O cards or devices to service thecommunications delivered via the links 50. In an embodiment (not shownin FIG. 1 ), at least some of the links 50 may be directly connected toa respective remote I/O card or device, which in turn may becommunicatively connected to the I/O gateway 40 and communicationsto/from the remote I/O card or device may be delivered from/to the I/Ogateway 40 via a data highway, via a data highway (e.g., in a mannersimilar to wired devices 60 and I/O cards/devices 61), where the datahighway may be included in the data highway 58 or may be a differentdata highway.

In some implementations, the process plant 10 includes a set of wiredand/or wireless field devices 80 which communicatively connect to theI/O gateway 40 via an APL (Advanced Physical Layer) switch 82. Generallyspeaking, the APL switch 82 and its links 85 provide power to fielddevices 80 and in some cases to other devices such as wireless router88, e.g., in a manner which meets the jurisdictional power safetyrequirements of the hazardous field environment 12. Typically, theAPL-compatible links 85 provide data transport to/from field devices 80and wireless router 88 via high bandwidth transport media and packetprotocols, such as Ethernet and IP protocols, or other suitable highbandwidth transport media and packet protocols. Some of the fielddevices 80 may be next-generation or APL-compatible field devices, andsome of the field devices 80 may be standard field devices which areconnected to the links 85 via respective APL adaptors. Similar to thelinks 85, the links 55 communicatively connecting the APL switch 82 andthe I/O gateway 40 may also utilize APL-compatible transport mediaand/or packet protocols, such as high-bandwidth Ethernet and IPprotocols, and thus the links 55 may support an APL I/O type.Consequently, the I/O gateway 40 may include respective I/O cards ordevices to service the communications delivered via the links 55.

Further, in some configurations, the APL switch 82, or another APLswitch (not shown) which is communicatively connected to the I/O gateway40, may provide a direct connection to a remote I/O bus, such as theremote I/O bus included in the remote I/O cabinets or marshallingsystems 75, or another remote I/O bus included in another remote I/Ocabinet or marshalling system (not shown). In these configurations, theAPL switch may provide power to the remote I/O cabinet or marshallingsystem.

In some configurations, the process plant 10 may include a set of fielddevices 90 which communicatively connect to the I/O gateway 40 viastandard or non-APL Ethernet connections 52. For example, the fielddevices 90 may communicate with the SDCS 100 via the I/O gateway 40 byusing an industrial control IP protocol, such as HART-IP or othersuitable industrial control IP protocol, via one or more high-bandwidthEthernet links 52 which are shielded from the hazardous fieldenvironment 12 but do not provide power to the field devices 90. Assuch, the links 52 support a standard Ethernet or packet I/O type, andthe I/O gateway 40 may include respective I/O cards or devices toservice the communications delivered via the links 52. In an embodiment(not shown in FIG. 1 ), at least some of the links 52 may be directlyconnected to a respective IP-compatible (standard Ethernet) I/O card ordevice, which in turn may be communicatively connected to the I/Ogateway 40 via a data highway (e.g., in a manner similar to wireddevices 60 and I/O cards/devices 61), which may be included in the datahighway 58 or may be a different data highway.

Of course, the field devices 60, 62, 70, 80, 90 and field components 68,72, 82 shown in FIG. 1 are exemplary only. Other types of field devicesand field components of the industrial process plant 10 may beadditionally or alternately utilized in the process plant 10, and maycommunicate with the SDCS 100 via the I/O gateway 40 by utilizingsuitable links, protocols, and process I/O types.

FIG. 2 depicts a block diagram of an architecture of an example softwaredefined control system (SDCS) 200, which may be included in theindustrial process plant of FIG. 1 . For example, at least a portion ofthe architecture 200 may be utilized by the SDCS 100 of FIG. 1 .Generally speaking, and as is described below, the SDCS 200 utilizes alayered architecture in which business logic of the SDCS 200 isabstracted from the physical computing platform of the SDCS 200. Forease of discussion, the SDCS 200 is described with simultaneousreference to various portions of the industrial process plant 10 of FIG.1 ; however, this is only for illustration purposes and is not limiting.

FIG. 2 depicts the SDCS 200 as communicatively connected to the fieldenvironment 12 via an I/O interface system or I/O gateway 202, which,unlike the I/O interface system 40 of FIG. 1 , utilizes a set ofhardware and software computing resources different that those utilizedby the SDCS 200. The functionalities 202 a provided by the I/O interfacesystem 202, such as switching, routing, and converting communicationsdelivered between the SDCS 200 and devices or components disposed in thefield environment 12 of the process plant 10, are performed by utilizingthe hardware and/or software computing resources of the I/O gateway 202,for example. As such, these functionalities 202 a are categorically andcollectively referred to herein as a “network switch” 202 a. Thesoftware and hardware resources utilized by the network switch 202 a maybe implemented on one or more memories and processors of the I/O gateway202. For example, the network switch 202 a may be implemented on one ormore servers, by a bank of networked computing devices, a cloudcomputing system, one or more data clusters, etc. Similar to theinterface system 40 of FIG. 1 , though, the I/O interface system 202includes a set of physical ports or interfaces 202 b via which varioustypes of I/O links 42-58 deliver physical I/O from the SDCS 200 tocomponents of the field environment 12 and vice versa. The I/O interfacesystem 202 and the SDCS 200 may be communicatively connected via one ormore links 205, which typically are high bandwidth data or communicationlinks.

As shown in FIG. 2 , the architecture of the SDCS 200 includes acomputing platform 208 of hardware and software resources which supportthe higher layers of the architecture. Accordingly, the computingplatform 208 is interchangeably referred to herein as the “physicallayer 208” of the SDCS 200, as it contains physical processors,processor cores, memories, and networking interfaces. The computingplatform or SDCS physical layer 208 includes a set of data centerclusters C1, C2, . . . , Cn, each of which includes a respectiveplurality of nodes, where the nodes included within each data centercluster may be at least partly, if not entirely, interconnected. Eachnode of each data center cluster includes one or more respectiveprocessors and/or processor cores, one or more respective memories, andrespective networking resources, such as one or more respective physicalcommunication interfaces which communicatively connect the node to oneor more other nodes of the data cluster. For example, a node may beimplemented on a single server, or may be implemented on a bank or groupof servers.

Additionally, each data center cluster is communicatively connected ornetworked with one or more of the other data center clusters of theplatform 208. As such, this disclosure also interchangeably refers tothe computing platform 208 of the SDCS 200 as “data center clusters,”“computing platform nodes,” or “nodes” 208. In FIG. 2 , the SDCS HyperConverged Infrastructure (HCI) operating system (OS) 210 (which isinterchangeably referred to herein as an “SD HCI OS” 210) of the SDCS200 may assign, designate, or allocate various nodes 208 to performrespective roles to support the SDCS 200, such as computing (e.g., viathe nodes' respective processors and/or processing cores) or datastorage (e.g., via the nodes' respective memories). Nodes 208 which areassigned, designated, or allocated to perform computing activities ofthe SDCS 200 are respectively referred to herein as “compute nodes” or“computing nodes.” Similarly, nodes 208 which are assigned, designated,or allocated to perform storage activities of the SDCS 200 arerespectively referred to herein as “storage nodes.” An individual node208 may be utilized as only a compute node, only a storage node, or asboth a compute node and a storage node, and the role(s) of eachindividual node 208 may dynamically change over time, for example, asdirected by the SD HCI OS 210. Advantageously, the computing platform208 is scalable, so that individual nodes 208 and/or individual clustersC_(x) may be easily added, removed, swapped out, etc. as needed tosupport the Software Defined process control system 200, and inparticular, in accordance with the requirements of the other, higherlayers of the SDCS 200.

The SDCS Hyper Converged Infrastructure (HCI) operating system 210executes on the computing platform 208, and may be built based on anysuitable general purpose HCI operating system (OS) such as MicrosoftAzure Stack, VMWare HCI, Nutanix AOS, Kubernetes Orchestration,including Linux Containers (LXC/LXD), Docker Containers, KataContainers, etc. As such, the SDCS HCI OS 210 provides a set ofcomputing, storage, and networking support services in a manner somewhatsimilar to general purpose HCI operating systems. However, in contrastto general purpose HCI OSs, and advantageously, in the SDCS 200 these SDHCI OS support services are dynamically responsive to the logical orabstracted process control system of the SDCS 200, e.g., to the softwarecomponents of the application layer 212 of the SDCS 200. That is, asperformance, resource needs, and configurations of the variousapplication layer services, subsystems, and other software components ofthe application layer 212 dynamically change (and/or are dynamicallypredicted, by services within the application layer 212, to change), theSDCS HCI operating system 210 may automatically and responsively adjustand/or manage the usage of hardware and/or software resources 208 of theSDCS 200 to support the needs and the requirements of the SDCS 200 forcomputing, storage, and networking, as well as for other functionalitiesrelated to industrial process control. To this end, the SD HCI operatingsystem 210 may include a set of support services including, for example,a Software Defined (SD) Computing (or Compute) service 215, an SDStorage service 218, an SD Networking service 220, an SD Orchestratorservice 222, and optionally one or more other SDCS HCI OS supportservices and/or functions 225. As such, in an embodiment, the SDCS HCIoperating system 210 includes a general purpose HCI operating systemplatform (e.g., Microsoft Azure Stack, VMWare HCI, etc.) which has beenparticularly customized to include the SD Computing service 215, the SDStorage service 218, the SD Networking service 220, the SD Orchestratorservice 222, and the other SDCS HCI OS support services and/or functions225, where the set of support services 215-225 is automaticallyresponsive to and particularly supports SDCS application layer softwarecomponents 212 of the Software Defined control system 200. Generallyspeaking, the SD HCI OS 210 and the SD support services 212-225 whichthe SD HCI OS 210 provides are collectively and generally referred toherein as the “software defined networking layer” 210 of the SDCS 200.

In particular, as the SDCS HCI OS 210 manages the allocation of thehardware and software resources of the nodes of the physical layer 208via the SDCS HCI OS support services 215-225, the SDCS HCI OS supportservices 215-225 may serve as interface services between the SDCS HCI OS210 and the higher level services, subsystems, and other softwarecomponents of the application layer 212 of the SDCS 200, and/or mayprovide a framework for the higher level services, subsystems, and othersoftware components of the application layer 212. As such, the softwarecomponents of the SDCS application layer 212 may interface with the SDHCI OS 210 (and in some cases, particularly with one or more of itsSD-specific support services 215, 218, 220, 222, 225) via a set ofApplication Programming Interfaces (APIs) 228, either via an HCI Adaptor230 (also referred to herein as an “HCI Adaptor layer” 230) and anotherset of APIs 232, or directly (not shown in FIG. 2 ). The HCI Adaptorlayer 230 enables the SDCS application layer 212 to access the supportservices 215, 218, 220, 222, 225 while remaining agnostic of theparticulars of the general purpose HCI operating system (e.g., MicrosoftAzure Stack, VMWare HCI, etc.) which has been customized with suchSD-specific services 215-225 to form the SD HCI OS 210. Accordingly, theHCI Adaptor 230 transforms or translates the APIs 228 utilized by theSDCS application layer 212 into a set of APIs 232 which are understoodor otherwise known to or compatible with the customized or adaptedgeneral purpose HC operating system 210 of the SDCS 200.

Thus, unlike generalized, layered IT (Information Technology) systemarchitectures in which business logic applications are abstracted fromthe hardware and software computing platform and for which themanagement of computing platform resources is largely governed anddesigned by human IT administrators, the architecture of the SDCS 200not only abstracts the higher level, business logic services,subsystems, and other software components of the application layer 212from the hardware and software computing platform 208, but also enablesthe higher level SD services, subsystems, and other software components212 to dynamically, automatically, and responsively direct and causechanges to the usage of the hardware and software resources of the nodesand clusters of the computing platform 208, e.g., via the APIs 228 andthe SD support services 215, 218, 220, 222, 225, and without requiringany human intervention or direction. Particularly, and advantageously,the management of the resources of the computing platform 208 isdynamically responsive to changes in configurations and needs of thesehigher level SD services, subsystems, and other software components ofthe application layer 212, and in particular, with respect to theparticular requirements, metes, and bounds of industrial process controlsystems.

In the SDCS 200, industrial process control and other associatedbusiness logic are performed by the higher level SD services,subsystems, and other software components 235, 238, 240, 242, 248 at theapplication layer 212 of the SDCS 200. For ease of reading herein, thisdisclosure categorically refers to these higher level SD services,subsystems, and other software components 235-248 as Software Defined“application layer software components” of the SDCS 200. Collectively,the sets of SD application layer components 235, 238, 240, 242 (andoptionally at least some of the third party services 248) form a logicalprocess control system 245 (also referred to herein interchangeably as a“virtual process control system” 245) for controlling one or moreindustrial or physical processes which execute, for example, in theindustrial process plant 10. As shown in FIG. 2 , the SD applicationlayer software components 212 include a set of process control services235 and a set of process control subsystems 238, and optionally mayinclude a set of other SDCS business logic services 240. In FIG. 2 , theI/O server service 242 is depicted separately for clarity of discussion(and not limitation) purposes; however, the I/O server service 242 maybe included in a subsystem 238 of the SDCS 200, or may be included inthe set of other SDCS business logic services 240. Indeed, in otherembodiments of the SDCS 200 (not shown), at least a respective portionor an entirety of the I/O server service 242 may be implemented in theHCI Adaptor 230, in the SD HCI operating system 210, and/or in even inthe network switch 202 a. Additionally, in some implementations of theSDCS 200, a set of third-party business logic services 248 may alsoexecute at the SDCS application layer 212, and may or may not operate aspart of the logical process control system 245. For example, third-partyservices 248 may be generated by a software development kit (not shown)of the SDCS 200, via which users may develop, generate, install, andmanage third-party services 248 at the SD application layer 212. Moredetailed discussion of the I/O Server service 242 and third-partyservices 248 are provided elsewhere within this disclosure.

In an embodiment, at least some of the SD application layer softwarecomponents 235-248 may be deployed as microservices which arecommunicatively connected via a microservice bus (not shown), so thatthe microservices 235-248 may transfer data to and receive data fromother microservices 235-248. The microservices 235-248 and delivery ofdata there between may be supported and/or managed by the I/O serverservice 242 and/or by the SD HCI operating system 210 and its SD supportservices 215-225. As such, the SD application layer software components235-248 may execute on any suitable hardware platform 208 which can runthe SD HCI operating system 210, such as server class hardware, embeddedhardware, and the like. Accordingly, the microservices 235-248 may bebusiness-logic components of the SDCS 200 which are abstracted away fromthe computing platform 208.

Within the architecture of the SDCS 200, the application layer softwarecomponents 235-248 may execute in containers, thick-provisioned virtualmachine environments, thin-provisioned virtual machine environments,and/or other suitable types of encapsulated execution environments asInstantiated Software Components (ISCs). For example, an ISC may be acontainer configured with an instance of a particular application layersoftware component 235-248 to form a configured container or containerimage for the particular application layer software component 235-248,and the container image of the particular application layer softwarecomponent 235-248 may be instantiated for execution on a particular node208 as a specific ISC. In another example, an ISC may be a specificapplication layer software component 235-248 implemented as an instanceof a virtual machine (e.g., of a process- or application-virtualmachine) to form a virtual machine image for the specific applicationlayer software component 235-248, and the virtual machine image of thespecific application layer software component 235-248 may beinstantiated for execution on a specific node 208 as a specific ISC. Atany rate, whether container-based or virtual machine-based, theencapsulated execution environments of the SD application layer softwarecomponents 235-248 isolate instantiated and executing softwarecomponents 235-248 from other services and applications which areexecuting on the same node 208. However, for ease of discussion (and notfor limitation purposes), the execution environments of the SDapplication layer software components 235-248 are referred to herein as“containers,” although one skilled in the art will understand the thatprinciples and techniques described herein with respect to containersmay be easily applied to virtual machines, if desired.

With the SDCS 200, each instance of an application layer service 235,240, 248 may execute in a respective container, each subsystem 238 maybe provided or execute in a respective container, the I/O server service242 may execute in a respective container, etc., thereby formingrespective configured containers or container images. For example, acontroller service 235 may be configured with one or more processcontrol module services 235, parameters, and values of the industrialprocess plant 10, such as tags of inputs and outputs, reference values,and the like, thereby forming a configured or programmed controllerservice. A container may be configured with an instance of theconfigured controller service, thereby forming a container image of theconfigured controller service. Said another way, the configuredcontainer includes an instance of the configured controller service,where the instance of the configured controller service is executable toperform the specific, configured set of process control logic using theconfigured control module containers, tags, reference values, etc.Multiple instances of a configured controller service (or of otherconfigured services) may be instantiated and executed by the SDCS 200,as is described elsewhere within this disclosure.

Container images (or instances of configured controller services withincontainers) may be allocated, pinned, or dynamically assigned, e.g., viathe SD compute service 215, to execute on respective SD nodes and/ordata center clusters 208. The SD compute service 215 may dynamicallychange, update, maintain, and/or otherwise manage the container imagesand their respective assignments to compute nodes 208 as or when needed,e.g., to load-balance across compute nodes 208, for scheduledmaintenance of compute nodes 208 and/or physical components thereof, inresponse to detected performance issues, to support expansion orcontraction of the logical process control system 245, to supportexpansion or contraction of the computing platform 208, etc. In someimplementations, containers in which application layer softwarecomponents 235-248 execute (e.g., configured containers or containerimages) may be assigned or pinned to (or otherwise execute on) an I/Odevice external to (e.g., separate from) the SDCS 200, such as a deviceincluded in the I/O interface system 202. In these implementations, theSDCS 200 discovers such configured containers executing on otherdevices/systems (which are referred to herein as “microcontainers”), andincludes the discovered microcontainers in network scheduling and otheraspects corresponding to the logical process control system 245.

Within the SDCS 200, some configured containers may be allocated orassigned to respective SD compute nodes 208 and dynamically re-assignedto different SD compute nodes 208 by the SD compute service 215 based ondynamically changing configurations, performance, and needs of thelogical process control system 245. In some situations, containers maybe assigned (and re-assigned) to be executed by particular processors orparticular processor cores of SD compute nodes 208. Some configuredcontainers, though, may be pinned to respective SD compute nodes 208(e.g., by the SD compute service 215, by a configuration, by a user,etc.) and are not dynamically re-assigned by the SD compute service 215due to dynamically occurring conditions. That is, a pinned configuredcontainer may execute on the SDC compute node 208 to which theconfigured container is pinned until the configured container isunpinned from the compute node 208, e.g., irrespective of dynamicconditions of the logical process control system 245 (other than perhapsthe failure of the compute node 208 to which the configured container ispinned). Said another way, the software defined networking layer 210 maylimit the utilization, by the pinned configured container, to only thehardware and/or software resources to which it is pinned, and when theconfigured container is unpinned, the SD networking layer 210 removesthe limitation. Containers may additionally or alternatively be pinnedto other physical or logical components of the SDCS 200, if desired. Forexample, a container may be pinned to another container, to a specificdata cluster, to a particular processing resource (e.g., a particularphysical processor or a particular physical processor core of an SDcompute node 208), to a physical rack or portion of a physical rackserviced by a particular power supply (where the physical rackphysically houses the hardware of one or more nodes), etc.

Further, configured containers may be nested within other configuredcontainers, which is particularly useful in configuring and organizingthe logical process control system 245. For example, when a particularprocess control subsystem 238 provides a particular set of controlservices 235 and/or other SDCS services 240, a configured container ofeach provided service 235, 240 of the particular set may be nested inthe configured container of the particular process control system 238.Allocation/assignment of configured containers to compute nodes 208,pinning, and nesting of configured containers is described in moredetail elsewhere within this disclosure.

For clarity and ease of discussion herein, the term “container” isutilized herein to generally refer to an instantiated software component(ISC) which is a configured container or a container image, e.g., acontainer which has been configured to include an instance of arespective SDCS controller service, SDCS subsystem, or other serviceprovided by the SDCS 200. Accordingly, semantically speaking, withinthis disclosure a “container” may be instantiated and assigned toexecute at a computing node 208, a “container” may be pinned to aparticular computing node or to other containers, and a “container” maybe nested within another “container.”

At any rate, in a manner similar to that discussed for the computingresources of the computing platform 208, containers may be dynamicallyallocated and/or assigned, pinned, and/or nested, e.g., via SD storageservice 218, to various SDC storage nodes 208 to thereby support variousstorage needs of the logical process control system 245. For example,the SD storage service 218 may administer and manage the logical storageresources utilized by containers of the logical process control system245 across various physical hardware memory resources of one or morenodes 208. For instance, the configured container and the memory neededfor its operations (e.g., Random Access Memory or similar) may be storedon a particular SD storage node 208 or a particular memory device orspace of an SD storage node 208. Examples of types of physical hardwarememory resources 208 may include (but are not limited to) pools ofvolume file systems across multiple hard drive (and/or flash drive)devices; NRAM, MRAM, FRAM, PRAM, and/or other types of NVRAM; NVMememories, to name a few.

Additionally, if desired, some containers may be pinned to respective SDstorage nodes 208 and/or to specific memory devices or memory areas ofthe SD storage nodes 208. The SD storage service 218 may change, update,or otherwise manage the physical hardware memory or memories 208 tosupport logical storage resources of the SDCS 200 when and as needed,e.g., due to disk or other types of errors, for scheduled maintenance,due to the addition/expansion of available physical memory in thecomputing platform 208, etc.

Still similarly, the SD networking service 220 may administer and managethe logical or virtual networking utilized by the logical processcontrol system 245, which may be implemented by the SD networkingservice 220 across the nodes 208. For example, the SD networking service220 may administer and manage networking and hardware resources of thecomputing platform 208 to support the logical networking functionalitiesincluded in the logical or virtual process control system 245, such asvirtual interfaces, virtual switches, virtual private networks, virtualfirewall rules, and the like, as well as to support required networkingbetween various containers or container images of the logical processcontrol system 245. As the logical process control system 245 servicesthe industrial process plant 10, the timing and synchronization oflogical and physical components of the SDCS 200 and networking therebetween is critically important, as missed and/or lost messages orcommunications may result in the industrial or physical process becominguncontrolled, which may in turn lead to catastrophic consequences suchas overflows, gas leaks, explosions, loss of equipment, and, in somesituations, loss of human life. Fortunately, the SD networking service220 is responsive to the critical process I/O timing and synchronizationof the SDCS 200 so that communications (and in particular,communications to/from control services 235), may be reliably deliveredin a timely and deterministic manner. For example, the SD networkingservice 220 may support the time synchronization of data center clusters208 to within 1 millisecond to ensure required synchronization betweenprocess control services 235, process control subsystems 238, the I/Oserver 242, and other SDCS services 240, 248 of the SDCS applicationlayer 212.

In addition to the SD compute service 215, the SD storage service 218,and the SD networking service 220, the SD HCI operating system 210 mayprovide other OS support services 225 which are accessible via the setof APIs 228, 232 and which are utilized or accessed by the applicationlayer 212 to support the logical process control system 245. Forexample, the other SD HCI OS services 225 may include a service lifecycle management service, a discovery service, a security service, anencryptor service, a certificate authority subsystem service, a keymanagement service, an authentication service, a time synchronizationservice, a service location service, and/or a console support service(all not shown in FIG. 2 ), to name a few. A more detailed discussion ofthese other process control system related OS support services 225 isprovided elsewhere within this disclosure. In some embodiments of theSDCS 200, one or more of the support services may execute at theapplication layer 212, e.g., as other SDCS services 240, instead ofexecuting at the software defined networking layer 210 as OS supportservices 225.

Now turning to the application layer 212 of the SDCS 200, the set of SDprocess control services 235 provide the process control business logicof the logical process control system 245. Each different controlservice 235 may be configured with desired parameters, values, etc. andoptionally other control services 235; each instance of a configuredcontrol service 235 may execute in a respective container; and eachcontainer may be assigned (or pinned) to execute on a respective node orcluster. As such, each configured control service 235 may be a logicalor software defined control entity which functionally may be configuredand may perform in a manner similar to that of a traditional,hardware-implemented process controller device, process control module,process control function block, etc. However, unlike traditional,hardware-implemented process controller devices, traditional controlmodules, and traditional control function blocks, and advantageously,the SDCS 200 may easily replicate multiple instances of a sameconfigured control service 235 for various purposes, such asperformance, fault tolerance, recovery, and the like. For example, acontroller service (which executes in its own container) may beconfigured to execute a control module service (which executes in itsown container), and the control module service may be configured toexecute a set of control function block services (each of which executesin its own container, and each of which may be configured withrespective parameters, values, etc.). As such, the set of containerscorresponding to the set of configured control function block servicesmay be nested in the control module service container, and the controlmodule service container may be nested in the controller servicecontainer. The set of containers corresponding to the set of configuredfunction block services may be assigned to execute on different cores ofa physical layer processor 208, e.g., for performance load-balancingpurposes. When loads change, one or more of the function block servicecontainers may be moved to execute on different processor cores,different processors, or even different nodes in attempt to re-balanceloads; however, the moved function block service containers would stillbe nested under the control module service container, and would executeaccordingly.

In addition to software defined control services 235, the SDCSapplication layer 212 may include other types of SDCS application layerservices 240 such as, but not limited to, operator displays andinterfaces, diagnostics, analytics, safety routines, reporting,historization of data, configuring of services, configuring ofcontainers, communicating information with external or other systems,etc. Generally speaking, any module or process control system-relatedfunctionality or business logic which is able to be configured in atraditional process control system and downloaded into and/orinstantiated at a specific physical device of the traditional processcontrol system for execution during run-time of an industrial processplant may be logically implemented in the SDCS 200 as a respectiveservice 235, 240 executing in a respective container. Further, any ofthe containerized SD control services 235 may communicatively connect,e.g., via the SD networking layer 210, with respective one or moredevices disposed in the field environment 12 of the industrial processplant (e.g., process control field devices 60, 62, 70, 80, 90; userinterface devices and/or other field environment devices) and/or withrespective one or more user interfaces/user interface devices 20 a-20 eto transfer I/O data and/or other types of data there between whenrequired to do so by the business logic of the containerized SD controlservice 235 and/or by the recipient device (or application or serviceexecuting on the recipient device). In some situations, differentcontainerized SD control services 235 may communicatively connect withother containerized SD control services 235 and/or with other SDCSservices 240 (e.g., via the SD networking layer 210, I/O server service242, microservice bus, etc.) to transfer data there between whenrequired to do so by their respective business logic.

The set of SD subsystems 238 at the application layer 212 of the SDCS200 provide the virtual or logical process control-related subsystems ofthe logical process control system 245. Each different SD subsystem 238may be provided by or execute in a respective container. In some cases(not shown in FIG. 2 ), a subsystem 238 may provide or include one ormore application layer services and, as such, the containers of theservices 235, 238 provided by the subsystem may be nested in thesubsystem container. For example, a historian subsystem 238 may includea read service, a write service, and a search service, respectivecontainers of which are nested in the historian subsystem container. Inanother example, a batch process control subsystem 238 may include aunit procedure service, a recipe service, and a regulatory recordgeneration service, which may be nested within the batch process controlsystem container. Generally, the set of SD subsystems 238 allow SDCScontrol services 235 and other SDCS services 240 to be easily andcoherently grouped and/or managed. In a preferred embodiment, each node208 of the SDCS 200 hosts a respective instance of each subsystem of theset of SD subsystems 238, e.g., so that subsystem services areproximately and readily available to other application layer services235, 240, 248 which are presently executing on each node 208.Accordingly, changes to one or more of the subsystems 238 may becoordinated among the corresponding instances thereof executing at eachnode 208 (e.g., under the direction of the SD HCI OS 210). As such, notonly is the set of SD subsystems 238 highly and proximately availablefor any SD service 235, 240, 248 executing on a same node 208, but inthe event of a node failure, the failure of a node component, or thefailure of a particular subsystem instance at a node, thefunctionalities provided by the set of SD subsystems 238 may be easilymaintained for the logical process control system 245. Examples of SDsubsystems 238 include, but are not limited to: continuous processcontrol, event driven process control, batch process control,state-based control, ladder logic control, historian, edge connectivity,process user, alarm, licensing, event, version control, processconfiguration, and process I/O, to name a few.

For example, the set of SD subsystems 238 may include a continuousprocess control subsystem. The continuous process control subsystem mayinclude a set of control services 235 which are responsible for theexecution of process control tailored for continuous production andoperation. For instance, the control services 235 provided by thecontinuous process control subsystem may execute modular control (e.g.,control module services) that is capable of periodic execution with I/Oassignment. Business logic of control system entities (both logical andphysical) which may be managed within the continuous process controlsubsystem may include (but are not limited to) controllers, I/OAssignments, control modules, function blocks, ladder logic, andstructural text-based control algorithms, to name a few. Continuouscontrol module services may be scheduled periodically, with or withoutmodule chaining. For example, continuous control module services mayform chains of execution such that a user-defined set of continuouscontrol module services may execute one after another in a chainedmanner. The continuous control module service chain may execute at anassigned (periodic) quanta of execution in a best-effort evaluation ofthe control logic contained within the module service chain. Unchainedcontinuous control module services may execute in parallel with respectto chained continuous control module services during a same periodicquanta.

In another example, the set of SD subsystems 238 may include astate-based process control subsystem. The state-based process controlsystem may include a set of state-based control services 235 which areresponsible for tracking, assigning, and deriving the state of theprocess control system 245 as a whole. Generally speaking, state-basedoperations of the process control system may include operations that areintended to automatically or semi-automatically change the state of theprocess (or portion thereof) on a set of process units within the plantinfrastructure. Each state operation may have the ability to, forexample, derive a current state of a process unit, determine the currentstate, analyze differences between the current process state andrecorded normalizations for a known process state, and drive the processto achieve a process state.

For example, the state-based process control subsystem may automaticallyderive intermediate process I/O or control changes to drive at least aportion of the process control system 245 from one state to another.States for the SDCS 200 may be saved and restored, with theautomatically-derived transitions between states respecting boundaryconditions corresponding to process safety and process profitability. Toillustrate, in an example scenario, to safely drive the state of processunit A to known state B to known state B′, a set of process instructionsmay be generated (e.g., by one or more application layer services 235included in the state-based process control system), where the generatedprocess instructions respect the process safety limitation that a burnerfor a boiler unit must be less than 200 degrees Celsius. Additionally,as profitability may be maintained by minimizing the amount of fuelutilization per time period to affect the state change and by minimizingmonetary charges associated with reporting an environmental discharge,the automatically-derived process instructions may also respectprofitability constraints that limit the change in the burner output to1 degree Celsius every second so as to prevent environmental dischargedue to sudden flare-up, and/or to prevent a rich running condition onthe burner itself.

Additionally, the state-based process control subsystem may provideapplication layer services 235 which recognize unknown states within theprocess plant and resolve the unknown states. Generally speaking, anunknown state of a process plant may occur when process plant I/O andprocess tags are in a state that deviates beyond a pre-defined amountfrom a known state. Additionally or alternatively, unknown process plantstates may occur when the process I/O or process devices have anunreadable or indeterminate status or value, e.g., when a sensor has anOut of Range status, or the sensor is not communicating at all. Theapplication layer services provided by the state-based process controlsubsystems may record the last known process state of various portionsand/or components of the process control system 245, and present thelast known states to a user for comparison with unknown states. Still,the state-based process control subsystem may include application layerservices 235 which estimate the state of a process unit when a processdevice included therein is not communicating but is still operational,that is, when all other control and I/O tag values except for thoseassociated with the non-communicative process device are consistent witha known state. An example of this situation may be a field valve that isno longer communicating; however, the valve position has not changedfrom the last known process unit state. An application layer service 235included in the state-based process control subsystem may determine thatbecause all other process I/O and sensor tags still report a validprocess value for a given state, the field valve position may beestimated to be in the previously reported, known state. A statevisualization tool may show discrepancies between estimated states andthe actual process values to alert a user, e.g., so that maintenancetasks to bring the system to a known recorded, and provable (e.g., notestimated) state may be initiated.

Further, the state-based process control subsystem may provideapplication layer services 235 which automatically aid a user increating and saving a state definition. Generally speaking, processstates may be defined by the user, commonly by referencing statetransition diagrams. To aid the user in creating state definitions,application layer services 235 provided by the state-based processcontrol subsystem may automatically create a state definition by takingthe current values of a running process or digital twin system andprocessing those values into state ranges for a particular named state,e.g., as defined by the user. For example, if the plant process isshutdown, an application layer service 235 provided by the state-basedprocess control subsystem may create a state definition labeled ShutdownState by creating state ranges based on the currently-read process I/Oand device tag values. Occurring deviations (whether autonomouslygenerated or intentionally inserted) may be recorded and state rangesmay be created to capture those deviations as part of the statedefinition. For example, when a level deviation occurs due to vibrationor temperature of 10% during a data collection time period, theautomatic state definition creation application layer service 235provided by the state-based process control subsystem may generate arange of +/−10% for that process value to define as a verified range ofthe given process state definitions. Process state definitions may beautomatically derived from a running process using current processvalues, or may be derived based on particular segments of time for agiven state as indicated by a comprehensive process historian.

In another example, an event-based process control subsystem may includea set of application layer control services 235 which may be triggeredto execute based on occurrences of one or more events. For example, anevent-based control module service may execute upon an I/O conditionreaching a certain value or status. Control module service executionchains may also be triggered on an event basis. Further, various controlmodule services and/or control module service chains may be configuredto execute when an event timeout occurs, for example, when the controllogic is primarily event driven and the triggering event fails to occurwithin a certain time period. In these situations, the periodicscheduler may execute the control module services and/or control moduleservice chains after the event timeout has taken place, in embodiments.Other events within the SDCS 200 may trigger the execution of variouscontrol module services, where the other events may include diagnosticevents or conditions, process download changes, or other SDCS events.

In still another example, a batch process control subsystem may includea set of application layer control services 235 which perform batchcontrol and tracking of regulatory items (e.g., for governmentaltraceability). Application layer control services 235 provided by thebatch process control subsystem may provide unit procedure, recipe,phase, phase transitions, etc., for example. Further, application layercontrol services 235 provided by the batch process control subsystem maymanage regulatory records related to batch process control which aregenerated.

The set of SDCS subsystems 238 may include a historian subsystem whichprovides a set of application layer services 240 to record time seriesdata for process I/O and events within the Software Defined ControlSystem 200. For example, various application layer services 240 providedby the historian subsystem may subscribe to process I/O and/or eventdata for recording purposes. Other application layer services 235provided by the historian subsystem may include source time stampingservices, time compression services (e.g., which may record a constantvalue once and update a range of times accordingly), traditionaltime-series database features, and the like. Recorded historical datamay be duplicated and made available to all nodes 208 within the SDCS200. Further, in embodiments, historical data may be categorized bysource subsystem (e.g., the service or subsystem which generated thehistorical data), production asset, production tag, SDCS data path,and/or by any other desired category.

Additionally or alternatively, the set of SDCS subsystems 238 mayinclude an edge connectivity subsystem, which may provide, via arespective set of application layer services 240, a set of edgeprotocols that allow process control data to be sent to and receivedfrom various third party components external to the process controlsystem. Examples of such edge protocols include OPC-UA and MQTT, to namea few. The edge connectivity subsystem may include one or moreapplication layer services 240 which provide cloud connectivity to theSDCS 200, where cloud-based applications may support variousfunctionalities such as monitoring the industrial process plant forplant status and asset health as well as other types of functionalities.At least some of the application layer services 240 provided by the edgeconnectivity subsystem may generate a logical representation of the SDCS200 and corresponding process I/O data as a data model specific to theedge protocol being used. Such data models allow secured, third partyaccess to selected process data, when desired.

In some embodiments, the set of SDCS subsystems 238 include a diagnosticsubsystem, which may provide a set of application layer services 240 forcollecting and providing diagnostic data from various other SDapplication layer services 235, 240, 248; from various other SDsubsystems 238; from nodes 208; and from SD networking layer components210 of the SDCS 200.

The set of SDCS subsystems 238 may include a process I/O subsystem whichprovides a set of application layer services 240 to manage I/Oconnections and configurations for process I/O within the processcontrol system 245. As previously mentioned, the process I/O subsystemmay provide the I/O server service 242, in embodiments.

The set of SDCS subsystems 238 may include a process user subsystemwhich provides a set of application layer services 240 to verify and/orvalidate user credentials when users log into the SDCS 200.Additionally, the services 240 of the process user subsystem may provideuser information to other services 235, 240, 248, e.g., forauthorization. Users' data may be replicated within the data centerclusters 208, if desired.

Still, the set of SDCS subsystems 238 may include an alarm subsystemwhich provides a set of application layer services 240 for maintainingthe definitions, statuses, and states of alarms within the SDCS 200.Alarms may include, for example, process alarms, hardware alarms,maintenance alarms, unit alarms, networking layer alarms, I/O alarms,hardware asset alarms, software asset alarms, diagnostic alarms, and thelike.

In some implementations, the set of SDCS subsystems 238 may include alicensing subsystem which provides a set of application layer services240 to verify or ensure that a user has privileges in accordance withthe license level of the SDCS 200. License levels may be made availableto all SDCS services 235, 240 and subsystems 238, and may take the formof perpetual licenses, time subscription licenses, consumption-basedlicenses, remote licenses (e.g., license data from the cloud or from adedicated license server), etc. Application layer services 240 providedby the licensing subsystem which enforce licenses are particularimportant, because when licenses for the SDCS 200 expire or areinvalidated, the SDCS 200 may be running a process that is critical orhazardous to human health. In such situations, the license enforcementservices may prevent unlicensed activity from occurring, while ensuringthat license enforcement does not result in an unsafe environment forusers. For example, in an embodiment, when the SDCS 200 becomesunlicensed, all user-facing applications, operator graphics, andworkstations may be overlaid with a watermark or semi-transparent bannertext showing that the system has become unlicensed, and all servicesexcept for services provided by control subsystems may reject anychanges or modifications thereto. As such, some licensed functionalitymay be diminished or deactivated, while simultaneously ensuring thatprocess execution does not become uncontrolled or dangerous.

To manage licensing, in an embodiment, the licensing subsystem mayinclude an application layer service 240 which provides for only asingle primary administrator console session or user session which isallowed to control plant operations with respect to licensing-basedrestrictions; all other console and/or user sessions may be preventedfrom effecting any user-initiated changes. As such, the licensingsubsystem may provide an application layer service 240 which provides amechanism to determine that only one session with Administratorprivileges (e.g., at a time) is able to execute control operations in anunlicensed state. For example, if an active Administrator console orsession fails or becomes unresponsive, then the licensing subsystem mayallow a subsequent active administrator session to control plantoperations. All other console sessions and user sessions may beprevented from making changes to the process control system until afterlicensing has been restored.

Further, in embodiments, the licensing subsystem may provide anapplication layer service 240 configured to remotely report licensingstatus and/or activities to a manufacturer system, e.g., for enforcementand/or legal remedies. In configurations in which remote reporting isnot provided by the manufacturer, the licensing subsystem may, via oneor more application layer services 240, maintain a record log of alllicense-related events for future retrieval.

The set of SDCS subsystems 238 may include a distributed event subsystemwhich provides a set of application layer services 240 to distributegenerated events (or notifications thereof) across all nodes 208 of theSDCS 200, along with corresponding time stamps indicating respectivetimes of occurrences at respective event sources. In this manner,consistent record keeping may be provided across all nodes 208.

Additionally, each node 208 of the SDCS 200 may include an instance of aconfiguration subsystem 238, where the configuration subsystem 238stores, in a configuration database provided by the configurationsubsystem 238, the configurations of control services (e.g., of allcontrol services 235) executed by the SDCS 200. Consequently, whencontrol strategies are modified and saved (e.g., as respective updatedcontrol services 235), the configuration subsystem, via respectiveapplication layer services 240, may update associated configurationswithin the configuration database accordingly. As a respective instanceof the configuration database is stored at each node 208, the SDCS 200provides fault tolerance of the configuration database across all nodesof the SDCS. As such, writes to the database (e.g., as executed by aconfiguration database write service provided by the configurationsubsystem) may be atomic across all fault tolerant instances throughoutthe SDCS. That is, a database write transaction is not complete untilall of the fault-tolerant instances of the configuration subsystem atall of the nodes 208 have received and processed the write operation.Atomic writes may be granular to the item or particular configurationbeing accessed. As such, when one entity within the database is beingwritten to, other entities within the database may also be written to(e.g., at the same or overlapping time) in a multi-threaded manner, asthe synchronization locking mechanism scope may be limited to each itemor object (entry) being written. Further, lock and unlock operations maybe atomic across all instances of the configuration database, so thatobtaining an object lock is not considered successful until all copiesof that object at all instances of the configuration database arelocked. Further, the configuration subsystem may provide one or moreapplication layer services 240 to manage version control of theconfiguration database. For example, version control services may trackchanges to the configuration database, when the changes occurred, andthe respective parties who checked-in the changes.

Reads from the configuration database (e.g., as executed by aconfiguration database read service provided by the configurationsubsystem) may be from a single local instance of the configurationdatabase. In some situations, though, a database read request may bedistributed among multiple nodes 208, e.g., so that a large read requestmay be segmented and results provided in a parallel manner from themultiple nodes 208.

As previously mentioned, the I/O server service 242 of the SDCS 200 maybe included in the Process I/O subsystem or in another subsystem 238.Alternately, the I/O server service 242 may be an SDCS service 240 whichis in its own, stand-alone subsystem, or is not associated with anysubsystem. At any rate, the I/O server service 242 generally operates asa service which is responsible for transferring I/O data (and, in somescenarios, other types of data) between endpoints of the logical processcontrol system 245, e.g., from a field device to an instantiatedcontainer image of an application layer service 235, 240, 248 (such as acontroller, operator interface, diagnostics, analytics, historian, orthird-party service); from an instantiated container image of anapplication layer service 235, 240, 248 to a field device, from aninstantiated container image of a control service 235 to anotherinstantiated container image of another type of SDCS service 240 (e.g.,operator interface, diagnostics, analytics, historian, third-partyservice, etc.); and the like. For example, the I/O server service 242may communicatively couple the respective endpoints and transfer datathere between using any suitable data delivery or data transferparadigm, including request/response, publish/subscribe, etc.

As such, the I/O server service 242 may be accessed by other applicationlayer software components 235, 238, 240, 248 for the purposes of datatransfer or data delivery, and the I/O server service 242 may utilizethe APIs 228 to thereby cause the I/O data and/or other types of datatransfer, e.g., via the SD HCI OS support services 215-225. In somesituations, the I/O server service 242 may cause data to be transferredvia the microservice bus. In effect, the I/O server service 242 servesas a logical or API gateway which causes process I/O and/or other typesof data to be routed between containers of the SDCS 200, and whichcauses process I/O to be routed between containers of the SDCS 200 anddevices deployed in the field environment 12 of the industrial processplant 10. Advantageously, the I/O server service 242 may automaticallymanage the fault tolerance and the quality of service of process controlservice and subsystem containers to drive industrial process outputs, asis described in more detail elsewhere herein.

Further, at the application layer 212 of the SDCS 200, at least somephysical process control devices or components (e.g., controllers,safety logic solvers or devices, data storage devices, edge gateways,etc.) of traditional process control systems may be logicallyimplemented in the logical process control system 245 as a respectiveservice 235, 240 or subsystem 238 executing in a respective container.Such logical or virtual instances of process control devices orcomponents may be configured in a manner similar to their physicalcounterparts, if desired, by configuring the logical devices withcontrol routines, other application layer software components 212,parameters, reference values, lists, and/or other data. For example, aspecific logical edge gateway service may be configured with whitelistsand with a connection to a particular logical data diode service, acontroller service may be configured with several control modules, etc.Configured logical or virtual process control devices or components(e.g., container instances of process control devices or components) maybe identified within the logical process control system 245 via arespective device tag or identification, for example, and respectivesignals which are received and generated by configured logical orvirtual instances of process control devices may be identified withinthe logical process control system 245 via respective device signal tagsor identifiers.

Still further, the SDCS 200 provides for containers within the SDapplication layer 212 to be utilized to represent and/or logicallyorganize physical and/or logical areas, regions, and components of theindustrial process plant 10. For examples, units, areas, and the likemay be represented by respective containers, and containerscorresponding to physical and/or logical components of each unit, area,etc. may be nested within and/or pinned to their respectiveorganizational container(s). For example, a fractional distillation areacontainer of the industrial process plant 10 may include a depropanizerunit container and a debutanizer unit container; that is, thedepropanizer unit container and the debutanizer unit container may benested within or pinned to the fractional distillation area container.Within the depropanizer unit container, a controller container may beconfigured with a control routine container which is configured tooperate on flow rate measurements from a physical measurement fielddevice disposed at an output port of the physical depropanizer withinthe field environment 12 of the process plant 10. Based on received flowrate measurements, the control routine executing within the configuredcontrol routine container may generate a control output, which thecontroller container may provide to an actuator of a valve servicing theoutput port of the depropanizer, where the physical actuator and thephysical valve are also disposed in the field environment 12 of theplant 10. As such, within the SDCS 200, the configured control routinecontainer may be nested within or pinned to the controller container,and the controller container may be nested within or pinned to thedepropanizer unit container. The control routine service container maybe configured with the signal tag of the flow rate measurement receivedfrom the field device and with the signal tag of the control outputsignal which is delivered to the actuator and, if desired, thecontroller service container may be further configured with the devicetags or identifications of the physical measurement field device and thephysical actuator. For example, with respect to configuring controlservices 235, a user interface service container may communicate with orexecute a process control configuration service container via which auser may configure the controller service and the control routineservice to include desired tags, identifiers, values, and controlroutine(s).

At the SD application layer 212, the SDCS 200 also includes softwaredefined storage entities or components 213, which provide abstracteddata storage (and access thereto) for the services and subsystems235-248 of the SD application layer 212. For example, historiandatabases, configuration databases, and other types of process controlsystem databases and data storage entities as well as temporary storageutilized by various process control application services 235-248 duringexecution may be provided by the SD defined storage entities 213. The SDstorage databases, areas, devices, etc. may virtualized or logicalstorage entities or components, which may be assigned or allocated (andmay be re-assigned and re-allocated) to various storage resources of thenodes of the computing platform 208 by the SD HCI Operating System 210.For example, a single SD defined logical database may be implementedover the hardware memory resources of multiple nodes 208. Additionally,the SD Storage service 218 of the SD HCI operating system 210 mayassign/re-assign and re-assign/re-allocate SD storage entities 213 atthe SDCS application layer 212 to different storage resources providedby the nodes 208 based on performance, resource, and configuration needsof the SD storage entities or components 213 and optionally of othercomponents of the SD application layer 212.

Returning now to the software defined networking layer 210 of the SDCS200, FIG. 2 depicts a particular SD HCI OS service, i.e., the SDOrchestrator service 222, separately from the depictions of the other SDHCI OS services 215-220, 225 for ease of discussion purposes. Generallyspeaking, the SD Orchestrator service 222 instantiates container images(e.g., of application layer control services 235, subsystems 238,third-party services 248, and other SDCS services 240) into running orexecuting container processes on respective hardware and/or softwarephysical compute resources 208, as well as assigns various SD datastorage entities to reside on respective hardware storage and/orsoftware storage resources 208. For example, the SD Orchestrator 222 mayinstantiate and assign various instantiated container images to executeon and/or utilize various specific sets of hardware and/or softwarecompute resources 208, which may be resources of a single node, or maybe resources of two or more nodes. Further, the SD Orchestrator 222 mayassign various SD data storage entities or components 213 to reside onphysical layer storage resources 208 of a single node, of multiple nodesetc., e.g., for ease and speed of access by resident containers, forredundancy purposes, for balancing of memory usage across the physicalplatform, etc. In doing so, the SD Orchestrator service 222 not onlyestablishes the running container processes, but also manages the faulttolerance, load-balancing, quality of service (QoS), and/or otherperformance aspects of the running container processes of the SDCS 200,e.g., via QoS configuration services 252, fault tolerance services 255,load-balancing services 258, and optionally other performance-relatedservices 260 provided by the SD HCI OS 210. As such, the SD Orchestratorservice 222 may be invoked or accessed by the other SD HCI OS services215, 218, 220, 225, and the SD Orchestrator service 222 may in turninvoke or access one or more of the performance-related services252-260. Generally speaking, the SD Orchestrator service 222 allocatesresources to containers and SD data storage entities of the logicalprocess control system 245 so that the containers are able to operateefficiently and safely, e.g., to control the industrial process, atleast at a best-effort performance level.

To this end, the performance-related services 252-260 of the SD HCI OS210 may monitor performance parameters, resource usage, and/or criteriaduring run-time, detect any associated conditions which occur and/orwhich are predicted to occur, and provide and/or implement any changesin assignments of SD application layer software components (e.g.,containers) 212 to hardware and/or software resources of the computingplatform 208. Accordingly, during run-time of the industrial processplant 10, as various expected and/or unexpected hardware and/or softwareconditions arise and are detected, the SD Orchestrator service 222responsively adjusts the allocation of hardware and/or softwareresources of various nodes 208 to instantiated container images tomaintain (or attempt to maintain) a target or best-effort level ofperformance and fidelity of operations. Detected conditions which maycause the SD Orchestrator 222 to modify allocations and/or assignmentsbetween containers 212 and node resources 208 may include, for example,hardware faults or failures, software faults or failures, overloading ofa specific node, increased or decreased bandwidth of various networkingcomponents, addition or removal of nodes and/or clusters of nodes,hardware and/or software upgrades, pinning and/or unpinning ofcontainers, diagnostics, maintenance, and other routines which may causehardware and/or software resources to be temporarily unavailable forrun-time use, etc. Possible responsive and/or mitigating administrativeactions which may be taken by the SD Orchestrator service may include,for example, re-assigning containers to execute using different softwareand/or hardware resources (in some cases, on different nodes),activating and/or deactivating software and/or hardware resources,changing priorities of various containers' access to various softwareand/or hardware resources, etc. A more detailed discussion of the SDOrchestrator service 222 is provided elsewhere in this disclosure.

Accordingly, and generally speaking, the services, subsystems, and othersoftware components of the SDCS application layer 212 (e.g., 235, 238,240) may determine, define, or specify the processing, containerization,networking, and storage needs of the logical process control system 245,both at an individual container level and at aggregate levels (e.g., ata subsystem level, unit level, area level, and/or the process controlsystem 245 as a whole). By way of the APIs 228 (and, in someconfigurations, also by way of the HCI adaptor layer 230 and APIs 232),the SD HCI OS 210, its support services 215, 218, 220, 222, 225, and itsSD Orchestrator service 222 administer and manage the hardware andsoftware resources of the nodes 208 to support those needs. For example,in some embodiments, the SD orchestrator 222 may cause differentinstances of a particular control container 235 or a particular otherSDCS service container 240 to execute on different nodes 208, e.g., forfault tolerance, quality of service, and/or other performance criteriaof the SDCS 200. Advantageously, as the needs of the logical processcontrol system 245 dynamically change over time, the SD HCI OS supportservices 215, 218, 220, 222, 225 and/or the SD Orchestrator 222 maymodify, change, and adjust the usage of the hardware and softwareresources of the nodes 208, e.g., in a responsive and/or in a predictivemanner. For example, when the logical process control system 245 createsadditional instances of control services 235 executing in additionalcontainers, the SD HCI OS support services 215-225 may responsively (viathe APIS 228 and optionally the HCI adaptor 230 and the APIs 232) assignthe newly created containers to execute on corresponding nodes, mayre-balance existing containers among nodes, may assign specific hardwarememory resources to support the logical memory resource needs of theadditional containers, may adjust routing tables utilized by the nodes208 to support the logical routing needs of the newly createdcontainers, etc. In another example, when a particular cluster C2 needsto be taken out of service (e.g., expectedly for maintenance purposes orunexpectedly due to a lightning strike), the SD HCI OS support services215-225 may pre-emptively re-assign containers which are presentlyassigned to execute on cluster C2 to other clusters in accordance withthe present needs of the logical process control system 245 and theavailability of hardware and/or software resources of the otherclusters, and the SD HCI support services 215-225 may adjust routingtables utilized by the clusters 208 accordingly so that continuity ofexecution of said containers is maintained even when the cluster C2 istaken out of service. As such, the SDCS networking layer 210automatically, dynamically, and responsively determines, initiates, andperforms changes to the allocation of hardware and software resources ofthe nodes of the computing platform 208 to different SD applicationlayer software components 212 based on detected conditions, such asimprovement in performance of individual logical and/or physicalcomponents or groups thereof, degradation of performance of individuallogical and/or physical components or groups thereof, fault occurrences,failures of logical and/or physical components, configuration changes(e.g., due to user commands or due to automatic re-configuration byservices of the SDCS 200), etc. Consequently, with the SDCS 200, a useror system administrator need not dictate or govern the redistribution ofhardware and software resources of the nodes 208 to support the SDCS 200or changes thereto. Indeed, in most cases, the user or systemadministrator may be unaware of the redistribution of hardware and/orsoftware resources of the nodes 208 which is automatically performed bythe SDCS 200 in response to changing conditions and components of theSDCS 200.

While FIG. 2 denotes the computing platform 208 supporting the SDCS 200,in some configurations, the computing platform 208 may support multipleSDCSs. The multiple SDCSs may share sets of hardware and/or softwareresources of the computing platform 208, or the hardware and/or softwareresources of the computing platform 208 may be partitioned among themultiple SDCSs. In embodiments in which the hardware and/or softwareresources are shared across multiple SDCSs, the SDC HCI operating system210 may manage the shared resources amongst application layer servicesof the multiple SDCSs.

Additionally, in some implementations, the SDCS 200 may implementdigital twins of various SD application services 235, 240, 248, theentire SD application layer 212, various SD support services 215-225,252-260, and/or the entire SD networking layer 210. That is, a digitaltwin of the target components/layers may execute in concert with theactive target components/layers on top of the computing platform 208,and thereby receive run-time data from the field environment of theindustrial process plant and operate accordingly, with the same logic,states, timing, etc. as the active target components/layers. However,the I/O and other types of data generated by the digital twin areprevented from being delivered to the field environment. In this manner,should the active targets/components fail, the digital twin of the filedtargets/components may simply be activated to seamlessly maintainrun-time operations of the industrial process plant.

Further, in some implementations, the SDCS 200 may implement simulationsof or changes to various SD application services 235, 240, 248, to theentire SD application layer 212, to various SD support services 215-225,252-260, and/or to the entire SD networking layer 210. That is, asimulation of the target components/layers may execute in concert withthe active SDCS components/layers on top of the computing platform 208,and thereby receive run-time data from the field environment of theindustrial process plant and operate accordingly, e.g., with the samelogic, states, timing, etc. as the active target components/layers, orwith the simulated test logic, states, timing, etc. However, the I/O andother types of data generated by the simulation are prevented from beingdelivered to the field environment, and simulations may be paused, spedup, slowed down, fed test inputs, and otherwise managed to observebehavior and make modifications to the simulated components/layers.Accordingly, upon approval of a simulated portion of the SDCS 200, thesimulated portion may simply be activated for use during run-timeoperations of the industrial process plant, without needing to pause ortake part of the SDCS 200 out of service to do so.

Still further, it is noted that although the physical layer 208associated with the SDCS 200 is described above as being implemented byusing physical data center clusters C1-Cx, in some embodiments, at leasta portion of the physical layer 208 may be implemented as a virtualizedphysical layer 208. For example, the data center clusters C1-Cx (orsubset thereof) may be implemented as virtual machines, e.g., whichexecute in a cloud computing system. As such, the HCI Adaptor Layer 230may interface the SD application layer, SD storage layer, and SDnetworking layer 210 with the virtualized physical layer 208.

As should be evident from the description above and appreciated by thoseof skill in the art, industrial process control systems such as thosedescribed herein can, and often are, extremely complex systems. They caninvolve hundreds, thousands, or even tens of thousands of discrete, butinterconnected, field devices that must operate in a coordinated mannerto control the process. The complexity brought about by the sheer numberof devices is multiplied by the complexity of commissioning andmaintaining the system, which includes creating and maintaining wiredand wireless networks connecting all of the devices, creating andmaintaining the control modules that act to control the field devicesbased on measurements from the field devices, ensuring that sufficientresources (network bandwidth, processing power, etc.) are available toensure that design tolerances (network latency, synchronized messaging,etc.) of the system are continuously met, and the like.

The implementation of containers in the described software definedcontrol system lends itself in a multiplicity of ways to efficientlymanaging and operating an industrial process control environment. Aswill be described further below, containerization facilitates moreintuitive organization of control resources that can mimic the physicalor logical organization of the devices in the process plant and thephysical or logical organization of the processes and computingresources that control the devices in the process plant. Theimplementation of containers also facilitates myriad possibilities withrespect to maintaining quality of service parameters, as well ascreating and maintaining fault redundancy.

FIG. 3 is a block diagram illustrating principles of fault tolerance andload balancing. In FIG. 3 , two compute nodes 300 and 302 providecomputing, memory, and networking resources for the SDCS. As should beunderstood, each of the two compute nodes 300 and 302 may include onecompute node or a plurality of compute nodes (not shown), and each ofthe compute nodes may, in turn, include one or more processors (notshown), each of which may have one or more processor cores (not shown).The orchestrator 222 manages the instantiation of, and resourcesallocated to, various containers according to the requirements of thespecific system (e.g., according to the requirements of specificcontainers or process control plants), in embodiments, and/or accordingto general requirements for load balancing and fault tolerance (e.g.,when no specific requirements for the process control plant have beenspecified).

In greater detail, the container orchestrator service (i.e., theorchestrator 222) is responsible for instantiating container images intorunning container processes on available compute resources. Theorchestrator 222 is responsible for ensuring that each of the containersis established properly and also manages fault-tolerance and loadbalancing concerns with containers. Fault tolerance is created by takinga horizontal scaling approach whereby multiple copies of a container areinstantiated for a multiple input, single output mechanism. In someembodiments, the orchestrator 222 selects an “active” container fromamong the multiple, redundant copies of a container. As used herein, theterm “active” refers to a one of a plurality of redundant containersthat is selected such that the outputs of the selected container drivethe inputs to another container, control a field device, or the like.For example, where multiple, redundant copies of a distributed alarmsubsystem container are instantiated, the orchestrator 222 may selectwhich of the redundant containers is the active container. As anotherexample, where multiple, redundant copies of an I/O server container areinstantiated, the orchestrator 222 may select which I/O server containeris the active container. In that case, each of the redundant I/O servercontainers may be receiving process data from the field devices in theprocess plant, and may be receiving outputs from one or more controllercontainers, but only the outputs from the active I/O server containerwill be transmitted, via the physical I/O layer, to the field devices inthe process plant, and each of the controller containers will bereceiving process data only from the active I/O server container.

Communication between the fault tolerant copies of the servicecontainers is possible (and in some cases necessary) to transfer andestablish state information. The orchestrator 222 is responsible formaintaining a list of the specific service containers in a faulttolerant deployment, with the list order denoting the next availablecontainer to take over (the active container being at the top of thelist). This list is continually updated as conditions within the datacenter change. Upon the active notification that an active servicecontainer is going out-of-service, the orchestrator 222 can make a fastdecision on the next available fault tolerant copy to take over. In theevent of an unplanned active container going out-of-service (e.g., dueto a power failure) then the container orchestrator may have a timeoutdelay to detect when such a “hard” failure has occurred and may move toactivate the next available service container. In the event that thereare multiple active conditions detected, the recipient of the serviceoutputs will receive the multiple outputs for a short period of time.The receiving service will inform the orchestrator 222 of the doubleoutputs being received, upon which the orchestrator 222 will reconfigure(or destroy and recreate if reconfiguration fails) the old activecontainer and instantiate it as a non-active container. During thistime, the receiving container will default to the last known good sourceof information until the duplicate information source is eliminated.

While in some instances, the orchestrator 222 is responsible forselecting active containers, in certain circumstances, such as in thecase of an I/O server container, the containers themselves may select anactive container, based on various parameters, as described below withrespect to I/O server containers.

As used herein, the phrase “load balancing” refers to the use ofcomputing, memory, and/or communication resources for processes (e.g.,containers) running on a system, such that the processor cores,processors, compute nodes, and or servers meet desiredquality-of-service metrics. Load balancing, then, includes equalizingthe use of computing, memory, and/or communication resources in someinstances and, in some instances, ensuring minimum QoS parameters aremet (i.e., ensuring maximum network latency for certain signals does notexceed a programmed value, ensuring maximum processing latency forcertain processes does not exceed a programmed value, ensuring totallatency for a particular value does not exceed a programmed value,ensuring sufficient memory resources exist for certain processes, etc.).

Load balancing parameters, such as maximum network latency, maximumcomputing latency, and the like may be programmed as parameters of oneor more of the containers, in embodiments, and/or as parameters ofspecific services executing within the containers, and/or as parametersof specific values being received at or transmitted from the servicesexecuting within the containers. Load balancing parameters may also beset at a system level either to provide global parameters or to providedefault parameters that may be superseded by parameters set withinspecific containers or services. The QoS configuration services 252 ofthe orchestrator 222 may provide an interface to facilitateconfiguration of QoS parameters on global, default, container, and/orservice levels. The QoS configuration services 252 may also read QoSparameters programmed into the various containers and/or services inorder to ensure that the parameters are implemented and maintained bythe orchestrator 222.

The fault tolerance services 255 operating within the orchestrator 222maintain fault tolerance within the SDCS, in embodiments. As usedherein, the phrase “fault tolerance” refers to the creation of redundantprocesses and/or services (e.g., by creation of multiple containers),whether instantiated on different processor cores, different processors,different compute nodes/servers, and includes embodiments in which theorchestrator 222 (i.e., via the fault tolerance services 255) ensuresthat one or more redundant containers are instantiated on computingresources powered by separate power supplies, to ensure that failure ofa power source does not affect all operating copies of a specificcontainer. In embodiments, the orchestrator 222 itself may beinstantiated as a redundant component to ensure fault tolerance persistseven if an active instance of the orchestrator 222 is terminatedabnormally by processor failure, power failure, etc.

Referring again to FIG. 3 , several logical functions are depicted asimplemented across the two servers 300 and 302. The logical functionsinclude a first controller (i.e., a controller controlling a first setof equipment of a first portion of an associated process plant) 304, asecond controller (i.e., a controller controlling a second set ofequipment of a second portion of the associated process plant) 306, anI/O server 308, and an historian 310. Each of the logical functions304-310 is implemented by an associated service executing within one ormore corresponding containers. For simplicity, the description hererefers to these services executing within containers simply as“containers,” but it should be understood that each “container” in FIG.3 is executing an associated service, which service is configured tooperate with respect to other containers, services, and/or processcontrol field devices. For example, each controller container hasexecuting therein a controller service programmed to control itsassociated set of equipment. In some embodiments, the controller servicemay be programmed with one or more control module services, and eachcontrol module service may be programmed with one or more controlfunction block services, where each of the control module services andeach of the control function block services may execute within arespective container.

FIG. 3 depicts that the logical controller 304 includes three controllercontainers 304A, 304B, and 304C. Each of the controller containers304A-304C is instantiated on a different computing resource (i.e.processor core, processor, compute node, or server) than at least one ofthe other controller containers 304A-304C. That is, the controllercontainer 304A is instantiated on a different server (server 300) fromthe other controller containers 304B and 304C (instantiated on theserver 302); controller container 304B is instantiated on a differentserver (302) from the controller container 304A (instantiated on theserver 300) and on a different processor or processor core than thecontroller container 304C; and controller container 304C is instantiatedon a different server (302) from the controller container 304A(instantiated on the server 300) and on a different processor orprocessor core than the controller container 304B. FIG. 3 also depictsthree controller containers 306A, 306B, and 306C instantiated in asimilar manner on the servers 300 and 302, two I/O server containers308A and 308B instantiated on the servers 300 and 302, respectively, andtwo historian containers 310A and 310B instantiated on the servers 300and 302, respectively.

Referring to the logical controller 304, it should be apparent that onlyone of the controller containers 304A-304C can be active (i.e.,providing control outputs to the controlled equipment) at a giveninstant, by instantiating the controller containers 304A-304C ondifferent computing hardware, a fault on any one of the controllercontainers 304A-304C does not lead to a loss of control of the equipmentcontrolled by the logical controller 304. In the event that the faultoccurs on the active one of the controllers 304A-304C, one of theremaining two controllers would become the active controller. Becauseall three of the controller containers 304A-304C implement the samecontrol algorithms and receive all of the data received by the activecontroller, the outputs being provided by each of the controllercontainers 304A-304C is identical and a new active controller may beselected from the controllers 304A-304C when the active controllerexperiences a fault. Moreover, if the fault on the active controller iscaused by a power supply failure on the server on which the controllercontainer is instantiated, at least one other instance of the controllercontainer may be available to take over as the active controllercontainer if at least one of the controller containers 304A-304C isinstantiated on a computing resource that uses a different power supply.

In embodiments, the orchestrator 222 may monitor the QoS metrics of thevarious containers instantiated. By way of example, and withoutlimitation, the QoS metrics may include processor loading, outputlatency, network latency, and network bandwidth. If the QoS metricsindicate that one of the containers, or the service executing in thecontainer, is becoming unstable, or if the QoS metrics indicate that oneof the containers is not performing within the requirements specifiedfor the container, or for the service, then the orchestrator 222 mayinstantiate a further instance of the container and terminate thecontainer instance that is unstable and, in doing so, maintains the samelevel of redundancy while substituting a properly performing containerfor a poorly performing container. The newly-instantiated container maybe instantiated on different hardware (different processor, differentserver, etc.) from the poorly performing container, in embodiments,depending, for example, on whether the QoS metrics indicate that thecontainer was performing poorly as a result of the hardware on which thecontainer was instantiated. At the same time, if the QoS metricsindicate that one hardware resource is underutilized, while anotherhardware resource is heavily utilized, the load balancing service 258may cause the orchestrator 222 to move one or more containers to theunderutilized resource from the heavily utilized resource (i.e., tocreate a new container on the underutilized resource and terminate thecontainer on the heavily utilized resource).

Referring again to FIG. 3 , the orchestrator 222 has instantiated thefour logical functions 304-310 across the two servers 300 and 302. Aspreviously described, one instance of the controller #1 container 304Ais on the first server 300, while two instances of the controller #1container 304B and 304C are on the second sever 302. At the same time,the orchestrator 222 has “balanced” the loading of the two servers byinstantiating two of three controller #2 containers (306A and 306B) onthe first server 300, and only one of the controller #2 containers(306C) on the second server 302. Two containers 308A and 308B executethe I/O server service, respectively, on the first server 300 and thesecond server 302. Similarly, two containers 310A and 310B execute thehistorian service, respectively, on the first server 300 and the secondserver 302.

FIG. 4A illustrates the load balancing concept. In FIG. 4A, fivecontainers 312, 314, 316, 318, 320 are instantiated across three computenodes 322, 324, 326. Each of the containers 312, 314, 316, 318, 320depicted in FIG. 4A executes a different service. While FIG. 4A does notdepict redundant containers, it should be understood that suchredundancy may be present in any described embodiment, even though notdepicted in order to simplify the figure(s) for the concept beingdescribed. FIG. 4A depicts a controller container 312 and a continuouscontrol subsystem container 314 instantiated on the first compute node322, a distributed alarm subsystem container 316 and an I/O servercontainer 318 instantiated on the second compute node 324, and a SafetyInstrumented System (SIS) controller container 320 instantiated on thethird compute node 326.

FIG. 4A illustrates that the distributed alarm subsystem container 316may be “moved” from the second compute node 324 to the first computenode 322 in the event that second compute node 324 becomes heavilyloaded (e.g., in the event that the I/O server container 318 consumers asignificant portion of the resources of the second compute node 324)such that the QoS metrics for the I/O server container 318 are notmaintained, such that the QoS metrics for the distributed alarmsubsystem container 316 are not maintained, or such that a minimumamount of available resources on the second compute node 324 is notmaintained, for example. In such an event, the orchestrator 222 mayinstantiate on another compute node (e.g., on the first compute node322, as depicted in FIG. 4A) having sufficient resources a secondinstance 316′ of the container 316. Once the newly instantiateddistributed alarm subsystem 316′ is stable, the orchestrator 222 maymake the container 316′ the active container, and may terminate thedistributed alarm subsystem container 316 that was instantiated on thesecond compute node 324, freeing up resources on the second compute node324.

It should also be recognized that while non-active instances ofredundant containers may not be driving the outputs of the service(e.g., non-active controller containers may not be driving the process),redundant containers may nevertheless be providing data to portions ofthe system, provided that the data received by each of the redundantcontainers is equivalent. For example, while an active controllercontainer may be driving the process by providing control signals to theprocess control field devices operating in the process plant, one ormore of the redundant controller containers may be providing data toother services within the SDCS, such as to a historian service. In thismanner, the performance loading of the systme may be distributed acrossmultiple ones of the redundant containers, especially where thoseredundant containers are distributed across multiple hardware resources.

The SDCS 100 can also be configured to include “priority” containers(also referred to herein as “high priority” containers). Prioritycontainers are containers that are executing high priority services, andmay be designated by the configuration engineer upon configuration ofthe SDCS, or by default for certain services. By way of example,container services that are classified as safety rated (such as SIScontrollers), may be universally designated as priority containers. Withrespect to load balancing, priority containers may be guaranteedcomputing resources (e.g., processor resources, network bandwidth,memory, storage, etc.).

As such, the orchestrator 222 may perform load balancing to maintain theguaranteed resources for priority containers. Referring still to FIG.4A, the SIS controller container 320 is depicted as instantiated on thethird compute node 326 (the heavy container border indicating in thefigure that the container is a priority container). In embodiments, apriority container may, by default, operate on an otherwise unloadedcompute node (as depicted in FIG. 4A), on an otherwise unloadedprocessor core, etc., in order to ensure that guaranteed resources areavailable. However, there is no requirement that the priority containersbe on servers, processors, or other hardware components that do not alsohave other containers (priority or not) instantiated there, so long asthe guaranteed resources are provided to the priority container(s).

The guaranteed resources may be specified by container type (e.g.,hierarchical containers, controller containers, I/O server containers),by service type (e.g., I/O server, controller, subsystem, SIScontroller), or by individual containers (e.g., controller #1 thatcontrols a specific area of the process plant). Regardless of the levelat which priority containers are specified, the specification of apriority container may include specification of the types and quantitiesof resources reserved for such a container. For example, and withoutlimitation, a priority container may be guaranteed one or more of aspecific level of processor performance, a minimum amount of systemmemory, a minimum amount of network bandwidth, a minimum amount ofstorage memory, and/or a maximum transmission latency.

FIG. 4B illustrates the concepts of priority containers and alsoillustrates an additional capability of the load balancing services 258of the orchestrator 222. Specifically, FIG. 4B illustrates that theorchestrator 222 may, in embodiments, add to and/or remove from thecluster one or more compute nodes, processors, and/or processor cores.FIG. 4B depicts a first compute node 328 instantiated on which is eachof a controller container 330, a continuous control subsystem container332, and a distributed alarm subsystem container 334. A second computenode 336 has instantiated on it a priority SIS container 338 and an I/Oserver container 340. In the illustrated system of FIG. 4B, the I/Oserver container 340 requires resources of the second compute node 336that encroach upon the resources guaranteed to the priority container338, causing the load balancing service 258 of the orchestrator 222 tofree up resources for the priority container 338. In the depictedexample, the orchestrator 222 frees up the resources by adding a newcompute node (i.e., a third compute node) 342 to the cluster, andinstantiates a duplicate container 340′ of the I/O server container 340on the new compute node 342. Once the newly instantiated I/O servercontainer 340′ is stable, the orchestrator 222 may make the container340′ the active I/O server container, and may terminate the I/O servercontainer 340 that was instantiated on the second compute node 336,freeing up the resources on the second compute node 336 to meet theguaranteed resources for the priority container 338.

An example implementation of fault tolerance is depicted in FIG. 5A. InFIG. 5A, first and second compute nodes 344 and 346 each haveinstantiated thereon each of a controller container 350A, 350B, acontinuous control subsystem container 352A, 352B, a distributed alarmsubsystem container 354A, 354B, and an I/O server container 356A, 356B.A third server 348 stands idle. FIG. 5A shows that the controllercontainer 350A becomes unstable or terminates suddenly (indicated by thedifferentiated outline). The orchestrator 222, recognizing that thecontainer 350A is unstable or terminated, ensures that the remainingcontroller container 350B is the active controller container,instantiates a further redundant copy of the controller container 350Con the third compute node 348 to maintain redundancy.

A similar process occurs if, for example, an entire compute node isrendered inoperable (e.g., by a power failure). FIG. 5B illustrates sucha case. In FIG. 5B, first and second compute nodes 358 and 360 each haveinstantiated thereon each of a controller container 364A, 364B, acontinuous control subsystem container 366A, 366B, a distributed alarmsubsystem container 368A, 368B, and an I/O server container 370A, 370B.A third server 362 stands idle. FIG. 5B shows that the first computenode 358 becomes unavailable or, in any event, that all of thecontainers 364A, 366A, 368A, 370A suddenly terminate (indicated by thedifferentiated outlines). The orchestrator 222, recognizing that thefirst compute node 358 has become unavailable, ensures that thecontainers 364B, 366B, 368B, 370B are the active containers, andproceeds to ensure maintained redundancy by instantiating furtherredundant copies of the containers 364C, 366C, 368C, 370C on the thirdcompute node 362.

In embodiments, the orchestrator 222 maintains or accesses a list,table, database, or other data structure that keeps track of allinstantiated services and containers instantiated on the data center 208(or, in any event, the portion of the data center 208 within the purviewof the orchestrator 222). The information in the data structure may bepopulated by, for example, by the a service (e.g., the performancerelated services 260) executing in the orchestrator 222, by a service(e.g., the software defined services and functions 225 executing in theHCI operating system 210), by the software defined compute services 215,by the software defined storage services 218, and/or by the softwaredefined networking services 220. FIG. 6 illustrates, in a table 372, thetype of information that the orchestrator 222 maintains or accesses inthe data structure. Generally, the data structure maintains a list ofall containers and services instantiated in the data center (column373), whether each is the active container or service (column 374), andvarious information and metrics 376 relating to each of the containersor services. By way of example only, the information and metrics 376 mayinclude one or more of: an indication 377 of which of a plurality ofpower supplies is supplying power to the resources on which eachcontainer or service is instantiated; an indication 378 of on which of aplurality of nodes the container or service is instantiated; anindication 379 of the loading of the node; an indication 380 of on whichof a plurality of processors the container or service is instantiated;an indication 381 of the loading of the processor; an indication 382 ofon which of a plurality of processor cores the container or service isinstantiated, and an indication 383 of the loading of the processorcore.

The orchestrator 222 may also maintain or access a data structuretracking information at a higher level than the container and servicelevel. For example, the orchestrator 222 may access or maintainstatistics regarding the amount of compute resources, storage resources,and/or network resources available on and/or to each cluster, node,server, processor, and/or processor core, statistics regarding thestability of various power supplies (e.g., voltage stability, status ofuninterruptable power supplies, etc.), statistics regarding latency ofvarious physical network connections, etc. The orchestrator 222 may usethe information in the data structure 372 and/or the data structuretracking higher level information to determine, at any given instantwhich of each set of redundant containers is active (e.g., column 374 intable 372) and which of each set of redundant containers is the nextbest or next available container (column 375 in table 372). In thismanner, the orchestrator 222 can immediately make a new container activein the event that the previously active container becomes unstable,exhibits degraded performance, or is terminated.

In order for the orchestrator 222 to instantiate new containers, forload balancing purposes, fault tolerance purposes, or fault recoverypurposes, the orchestrator 222 (and the services being instantiated)relies, in part, on the software defined storage service 218. FIG. 7 isa block diagram depicting the software defined storage service 218 inadditional detail, as well as, for context, some of the other componentsof the HCI operating system 210 and the SDCS application layer 212. Asdescribed above, the applications (i.e., microservices) executing withinthe containers in the SDCS application layer 212 communicate via amicroservice bus 384 that is part of the software-defined networking 220of the HCI operating system 210. In addition to facilitatingcommunication between and among the instantiated containers, themicroservice bus 384 facilitates communication between the containersand the orchestrator 222, between the containers and thesoftware-defined storage 218, and between the orchestrator 222 and thesoftware-defined storage 218.

The software defined storage 218 includes a variety of storageresources, including three configuration data services classifiedbroadly as a cold process configuration data service 386 (“cold PCDS”),a warm process configuration data service 388 (“warm PCDS”), and a hotprocess configuration data service 390 (“hot PCDS”). The cold PCDS 386stores, for example, data related to the starting configuration of thesoftware defined control system 100. The data stored in the cold PCDS386 may include, for example, redundancy and fault tolerancerequirements for the SDCS 100, which application services 235 toinstantiate, which subsystems 238 to instantiate, which other SDCSservices and/or applications 240 to instantiate, and which third-partyapplications 248 to instantiate. Additionally, the cold PCDS 386 maystore the start-up configurations for each of the container services.For example, while each instance of a controller container implements acontroller service, the controller service requires configurationinformation to program the controller service with the control moduleservices or control loop services and other information necessary forthe controller to implement control of the process plant or portion ofthe process plant that the controller is to control. The data in thecold PCDS 386 is, therefore, typically engineered by the user (e.g., aconfiguration engineer) or the manufacturer to give each service a setof operation instructions specific to the service. Each SDCS service(container) would query the cold PCDS 386 for configuration data stored.In embodiments, the data stored within the cold PCDS 386 is saved tosoftware defined disk volumes dedicated to the service.

The warm PCDS 388 stores data necessary where a container service isstarting up and needs to recover operation state from either a previousinstantiation of the service, or in recovery from a service failure. Thedata stored in the warm PCDS 388 therefore may include state informationof the state of each instantiated service, state information of thestate of each active instantiated service, and the like. By way ofexample, such state information may include integration accumulatorvalues where the configuration is performing a running mathematicalintegration over time, which change rapidly and, therefore, would beinappropriate for storage in the cold PCDS 386. The warm PCDS 376handles quickly changing parameter storage in the case of warm restartapplications. As a result, in embodiments the warm PCDS 388 uses awrite-back cache to a mapped volume to capture quickly changingparameters.

In some situations, however, it may be necessary for an instantiatedcontainer to have information of the exact running state of a service.This may be the case, for example, where a container terminatesunexpectedly without a redundant container available for failover. Insuch cases where the exact running state of a service is required, thedata may be stored in the hot PCDS 390, which captures the exact runningstate of an SDCS service (i.e., container) such that the hot PCDS 390can take the place of traditional RAM facilities available tomicroservices. Data stored in the hot PCDS 390 is typically saved tovery fast non-volatile memory volumes, for example, MRAM or NVMe drivetechnology. A newly instantiated replacement container can be updatedwith configuration using cold, warm, and hot process data to take overprocess operations from a terminated predecessor container.

In a large industrial process plant, it is common to utilize parallelprocess flows. That is, the necessary equipment for producing a productmay be multiplied many times over to produce either identical product orvariations on the product. Process plants are, as a result, frequentlydivided into different physical hierarchies and realms. For example, aspecific group of equipment may form a unit, which unit may beduplicated multiple times within a physical area of the process plant,allowing different product flows to pass through respective ones of theunits, while maintaining similar groups of equipment within a specificarea of the process plant. Similarly, logical hierarchies exist,sometimes in combination with the physical hierarchies, to distinguishset of equipment. For example, in the realm of batch control, a “processcell” is defined as a logical grouping of equipment that includes theequipment for production of one or more batches. The process cell mayinclude one or more units, each of which includes one or more equipmentmodules that make up the unit. Each of the equipment modules may be madeof one or more control modules (e.g., field devices).

A variety of methods may be implemented within the process plant 10 and,in particular, within the SDCS 100, relating to the orchestrator 222. Amethod may include configuring a first container to include a serviceexecuting within the first container, and assigning the configured firstcontainer to execute on an available hardware resource of a plurality ofhardware resources. In so doing, the first container may be configuredto control the process control field devices 60, 70, 80, 90 operating inthe process plant 10. The first container may be configured to execute acontroller service that receives data from the field devices anddetermines, from the received data, one or more control outputs, and tosend the one or more control outputs to the plurality of field devices.The first container may alternatively be configured to execute an I/Oserver service. In still other embodiments, the first container may beconfigured to execute any of an historian service, a distributed alarmsubsystem service, or a diagnostic subsystem service.

Assigning the first container to execute on an available hardwareresource may include assigning the first container to execute on aspecific power supply. Alternatively, the available hardware resourcemay be specified as a specific data cluster, a specific set of dataclusters, a specific rack of servers, or a specific server. In otherembodiments, the available hardware resource may be specified as aspecific processor, a specific processor core, a specific memory device,or a specific memory resource.

Further, in some embodiments, the method may include dynamically addingor removing hardware resources, such as physical servers, data clusters,or nodes.

In embodiments, the available hardware resource to which the firstcontainer is assigned is selected according to a metric related to theavailable hardware resource. Assigning the configured first container toexecute on an available hardware resource may include moving theconfigured first container from executing on a current hardware resourceto executing on the available hardware resource according to a metricrelated to the current hardware resource, the available hardwareresource, or a comparison between the metrics of the current andavailable hardware resources. That metric, in various embodiments, mayinclude processing bandwidth, network bandwidth, memory resources, orcommunication latency between the hardware resource and anothercomponent, for example.

The method may also include configuring one or more redundant containersto include the service executing within each of the one or morecontainers, and assigning each of the one or more containers to executeon respective available hardware resources. The first container may beassigned as an active container, such that the outputs of the activecontainer are driving outputs (i.e., are provided to the field devicesor drive the inputs to another container).

The method may include maintaining a list of redundant containers(including the active container) and updating the list of redundantcontainers to indicate which container is the active container. In suchimplementations, assigning each of the redundant containers to executeon respective available hardware resources may include selecting therespective available hardware resources such that each of the one ormore redundant containers creates fault tolerance in at least oneregard, such as creating processor diversity, server diversity, and/orpower supply diversity.

In still further embodiments, the method may include receiving anindication that the first container is a priority container, and, as aresult, maintaining on the hardware resource a predetermined thresholdof resource availability to ensure that the priority container and/orthe available hardware resource meets or exceeds specified performancerequirements.

FIG. 8 is a block diagram illustrating logical and physical hierarchicalarrangement of an example process plant 400. The process plant 400includes two process cells 402A and 402B, each of which comprises threeunits 404. The process cell 402A includes units A1, A2, and A3, whilethe process cell 402B includes units B1, B2, and B3. Each of the unitsincludes one or more equipment modules, which in turn include one ormore control modules. By way of example, unit A1 in the process cell402A includes two equipment modules 404A and 404B. The equipment module404A includes control modules 406A and 406B, while the equipment module404B includes control modules 408A and 408B. Other units in the processcells 402A and A02B each include one or more equipment modules (notshown) that, in turn, include one or more control modules (not shown).

At the same time, a physical hierarchy or organization may be employedinside the process plant 400. For instance, if the process cells 402Aand 402B are processing similar products, the units A1 and B1, A2 andB2, and A3 and B3, may be each comprise identical sets of equipmentoperating according to the same or different control schemes. As aresult, the process plant operator may group similar units within“areas” of the process plant. In the process plant 400, for example, theunits A1 and B1 are in an Area 1, the units A1 and B2 are in an Area 2,and the units A3 and B3 are in an Area 3.

It will be appreciated that, depending on the process plant, variouslogical and physical hierarchies and arrangements are possible, and thatthe example process plant 400 illustrated in FIG. 8 depicts merely onepossible organizational scheme. Of course, a large industrial processmay have any number of areas, process cells, units, equipment modules,and control modules and, as a result, logical organization of thesemodules within the control scheme may be particularly helpful.

As described above, the SDCS 100 implements a containerized architecturein which each container is an isolated execution environment thatexecutes within the operating system of a computing node that hosts thecontainer (i.e., within the operating system of the computing node onwhich the container is instantiated). Because each container, whenunconfigured, is essentially a “sandbox” in which services and otheritems may be instantiated, the containers in the SDCS 100 may representlogical and/or physical hierarchies within the process plant 10.Specifically, containers within the SDCS 100 may be nested to representthe logical and/or physical configuration of the process plant in anaccurate fashion.

FIG. 9 is a block diagram illustrating an example implementation ofnested containers in a process control system. A compute node 410 on adata cluster (e.g., on the data cluster 208) has instantiated on it acontainer 412 representing a process area “Process Area 1.” Process Area1 includes two units, Unit 1 and Unit 2. Accordingly, the container 412representing Process Area 1 has instantiated within it a container 414representing Unit 1 and a container 416 representing Unit 2. In thisway, the hierarchy of the process plant may be represented within theorganization of the computing elements of the SDCS 100. In the exampledepicted in FIG. 9 , a single continuous control subsystem service,executing in a container 418 within the container 412, is responsiblefor both Unit 1 and Unit 2, and a single historian service, executing ina container 420 within the container 412, historizes data for both Unit1 and Unit 2. Controller services, I/O server services, distributedalarm subsystem services, and diagnostic subsystem services, specific toeach unit, execute, respectively, within containers 422, 424, 426, and428 nested within the container 414, and within containers 430, 432,434, and 436 nested within the container 416.

In this manner, a plant operator can configure the SDCS 100 in a mannerthat represents the logical and/or physical design of the associatedprocess plant. In this manner, containers may also be configured tofacilitate duplication of container structures for the purpose ofimplementing control of separate, but identical, portions of the processplant and/or for the purpose of creating redundancy and/or for purposeof facilitating load balancing operations. For example, a container maybe configured such that, when instantiated, it contains specificsub-containers that, upon instantiation need only be configured for thespecific equipment area of the process plant that is to be controlled.With reference again to FIG. 9 , the containers 414 and 416 may bedifferent instances of the same container that, upon instantiation, needonly be configured such that the containers 422, 424, 426, and 428within the container 414 are associated with the equipment of Unit 1 andthe containers 430, 432, 434, and 436 within the container 416 areassociated with the equipment of Unit 2.

Turning now to FIG. 10 , individual and/or nested containers may beduplicated to facilitate fault tolerance and/or moved between computenodes or other resources in order to facilitate load balancing. FIG. 10depicts an example in which the container 412 of FIG. 9 is instantiatedon the compute node 410 (container 412) and on a second compute node 440(container 412′). The containers 412 and 412′ are functionallyidentical, but, being instantiated on different compute nodes, allow forone of the containers (e.g., the container 412) to be designated theactive container, while the other of the containers (e.g., the container412′) is designated as redundant (as indicated by the containers havingdotted lines). In so doing, if the active container suffers fromdegraded service (described further below) or the compute node on whichthe active container is instantiated suffers a fault (e.g., anunexpected server error, a power failure, etc.), the redundant one ofthe containers (e.g., the container 412′) may be designated as theactive container and the associated portion of the process plant may becontinuously and reliably controlled.

Of course, while containers may be configured such that anyinstantiation of the container necessarily includes all of thecontainers nested within (e.g., such that instantiation of a containerfor Unit 1 includes all of the containers 422, 424, 426, and 428), it isalso possible to instantiate each container individually. For example,such an implementation is depicted in FIG. 11 , in which the two computenodes 410 and 440 each execute a portion of the depicted process controlsystem. In the example depicted by FIG. 11 , the container 412 isinstantiated on the compute node 410. The container 412 has instantiatedwithin it the container 418 executing the continuous control subsystemservice, and the container 420 executing the historian service. Thecontainer 414 associated with Unit 1 is instantiated in the container412, and the containers 422, 424, 426, and 428, respectively executingthe controller service, the I/O server service, the distributed alarmsubsystem service, and the diagnostic subsystem service, areinstantiated within the container 414. At the same time, the container412′ is instantiated on the compute node 440. The container 412′ hasinstantiated within it a container 418′ executing a redundant instance(indicated by the dotted lines) of the continuous control subsystemservice, and a container 420′ executing a redundant instance (indicatedby the dotted line) of the historian service. The container 416associated with Unit 2 is instantiated in the container 412′, and thecontainers 430, 432, 434, and 436, respectively executing the controllerservice, the I/O server service, the distributed alarm subsystemservice, and the diagnostic subsystem service, are instantiated withinthe container 416′. In this manner, load balancing may be achieved byimplementing on the compute node 440 services related to unit 2, andimplementing on the compute node 410 services related to unit 1, whileredundancy of the historian and continuous control subsystem services isalso achieved.

FIG. 12 depicts another example of container nesting. In FIG. 12 ,redundant configurations are instantiated on first and second computenodes 442 and 444, respectively. In each of the two redundantconfigurations, a container 446, 446′ corresponding to a same processarea 1 is instantiated and, therein, a container 448, 448′ correspondingto a same unit 1 of the process area 1 is instantiated. Each of thecontainers 448, 448′ includes a set of containers operable to provideservices for unit 1, including a controller container 450, 450′, anhistorian container 452, 452′, a continuous control subsystem container454, 454′, a distributed alarm subsystem container 456, 456′, and adiagnostic subsystem container 458, 458′. Redundant I/O servercontainers 460, 460′ are instantiated on each of the first compute node442 and the second compute node 444. The I/O server implemented by theI/O server containers 460, 460′ may perform I/O services for otherprocess areas, units, and controllers other than those depicted in FIG.12 and, as such, are not depicted as within the containers 446, 446′ forprocess area 1 or the containers 448, 448′ for unit 1.

While the I/O server implemented by I/O server containers 460, 460′ maybe used by containers other than those depicted in FIG. 12 , thecontainers 446, 446′ for process area 1 are depicted in the figure asbeing “pinned” to I/O server 1. In this way, FIG. 12 illustrates anotherfeature of the SDCS 100, namely that elements within the SDCS 100 may bepinned to one another, such that pinned elements operate on the samehardware or operate on the hardware to which they are pinned. In FIG. 12, for example, because the containers 446, 446′ for process area 1 arepinned to respective I/O server containers 460, 460′, the container 446will be instantiated on the same server as the I/O server container 460,and the container 446′ will be instantiated on the same server as theI/O server container 460′. Thus, if the process area container 446 ismoved to another server, the I/O server container 460 would likewise bemoved to the same server as the process area container 446. The same istrue for the container 446′ pinned to the container 460′.

Containers may be pinned to any of a variety of components in theprocess plant 10. As described with respect to FIG. 12 , containers maybe pinned, in embodiments to other containers, such that the containers,if moved from one piece of processing hardware to another, are moved asa unit and remain executing on the same piece of hardware. This may beuseful, for example, to ensure that network latency between pinnedcontainers remains minimal. In embodiments, containers may be pinned tospecific processing hardware, including to a particular data cluster, aparticular compute node of a data cluster, a particular processor of aparticular compute node, a particular server rack, a particularprocessor core of a processor, etc. In some embodiments, a container maybe instantiated on a smart field device and, as such, a container may bepinned to a particular field device. Containers may also be pinned toparticular non-computing physical resources. For example, a containercould be pinned to a particular physical I/O interface, or even to aparticular power supply powering a plurality of computing resources. Inthe latter case, this would allow each of two redundant containers to bemoved between computing resources powered by respective power supplies,while maintaining fault tolerance with respect to the power supplies.

FIG. 13 and FIG. 14 illustrate various examples of pinning of containersto components. In FIG. 13 , a compute node 462 has instantiated thereona plurality of containers 464-474, including a controller container 464,an historian container 466, a continuous control subsystem container468, a distributed alarm subsystem container 470, a diagnostic subsystemcontainer 472, and an I/O server container 474. As depicted in FIG. 13 ,the I/O server container 474 is pinned to compute node 462. Thus, whileothers of the containers instantiated on the compute node 462 may be“moved” (i.e. instantiated on other hardware before termination of theinstance instantiated on the compute node 462), the I/O server container464 will remain on the compute node 462 until unless some circumstance(e.g., server instability, abnormal termination, etc.) forces the I/Oserver container 464 to be moved. At the same time, the continuouscontrol subsystem container 468 is pinned to the controller container464. The controller container 464 and the continuous control subsystemcontainer 468 will be instantiated as a pair, for instance, in order toensure that data passing between the containers 464, 468 maintainminimal latency due to their instantiation on the same hardwareresources.

It may be apparent that, when a container is pinned to a particularhardware resource, that pinning may be specific to the instance of thecontainer—that is, one instance of a container may be pinned to a firsthardware resource, while a second, redundant instance of the containermay be pinned to a second, separate hardware resource. In such a case,the pinning of a container to a hardware resource may facilitateredundancy and fault tolerance. However, when a container is pinned toanother container, that pinning may, in some instances, be carriedacross to all redundant instantiations of the container pair—that is, acontroller-continuous control subsystem pair may be instantiatedtogether regardless of on which hardware resource each instance of thepair is instantiated. In this way, the pinning of one container toanother may be implemented to achieve goals related to network latencyand bandwidth management, for example.

FIG. 14 , meanwhile, illustrates an example in which two power supplies476 and 478 supply power to respective sets of compute nodes. A first ofthe power supplies 476 supplies power to three compute nodes 479, 480,481, while a second of the power supplies 478 supplies power to threeother compute nodes 482, 483, 484. Each set of servers 479-481 and482-484 collectively has instantiated thereon the same set ofcontainers, thereby providing 1:2 fault tolerance, such that if one ofthe power supplies 476, 478 failed, redundant containers would remainactive on the other of the power supplies 476, 478. Collectively, theservers 479-481 have instantiated thereon: an SIS controller container485, a controller container 486, a continuous control subsystemcontainer 487, a distributed alarm subsystem container 488, an I/Oserver container 489, an historian container 490, and a diagnosticsubsystem container 491. Similarly, the servers 482-484 haveinstantiated thereon: an SIS controller container 485′, a controllercontainer 486′, a continuous control subsystem container 487′, adistributed alarm subsystem container 488′, an I/O server container489′, an historian container 490′, and a diagnostic subsystem container491′. Effectively, each of the containers 485-491 instantiated on theservers 479-481 is pinned to the first power supply 476, with the SIScontroller container 485 pinned specifically to the first compute node479, the historian container pinned to the third server 481, and theremainder of the containers 485-491 pinned generally to the first powersupply 476. At the same time, each of the containers 485′-491′instantiated on the servers 482-484 is effectively pinned to the secondpower supply 478, with the SIS controller container 485′ pinnedspecifically to the fourth compute node 482, the historian containerpinned to the sixth server 484, and the remainder of the containers485′-491′ pinned generally to the second power supply 478. Except forthe SIS controller containers 485, 485′ and the historian containers490, 490′, the containers 485-491 may be moved between the first,second, and third servers 479-481, and the containers 485′-491′ may bemoved between the fourth, fifth, and sixth servers 482-484, for loadbalancing, while maintaining fault tolerance.

Of course, as illustrated in the paragraphs above, nesting and pinningof containers may be used in conjunction with one another or separately.Accordingly, a method may include instantiating in a first computingnode of a data cluster first and second containers, each of which is arespective isolated execution environment within an operating system ofthe first computing node. The second container may be instantiatedwithin the first container, while a service is instantiated within thesecond container. Each of the first and second containers corresponds,respectively, to first and second levels of a hierarchical structure ofthe process plant, in embodiments. At the same time the first containermay also have executing therein one or more services. The serviceexecuting within the first container may be an I/O service, inembodiments.

The method may also include instantiating on the first computing node athird container that is instantiated, specifically, within the firstcontainer. In embodiments, the service executed within the secondcontainer may be a controller service executing a control routineconfigured to control a subset of process control field devices in afirst portion of the industrial process plant, while the serviceexecuted in the third container may be a controller service executing acontrol routine configured to control a different subset of processcontrol field devices in a second portion of the industrial processplant. In some embodiments, the services executing in the second andthird containers may include respective I/O server services configuredto communicate data between the process control field devices and therespective controller services. In embodiments, the method may includeinstantiating redundant nested container structures on one or moredifferent nodes of the data cluster.

In various embodiments, a method may include instantiating, in a datacluster of the industrial process control system 10 executing an SDCS100 for controlling a plurality of process control field devices 60, 70,80, 90 operating to control a physical process in an industrial processplant, a plurality of containers. Each of the plurality of instantiatedcontainers may be an isolated execution environment executing within anoperating system of a one of a plurality of compute nodes on which thecontainer is instantiated. The plurality of instantiated containers maycooperate to facilitate execution of a control strategy in thesoftware-defined control system. The method may also include pinning afirst container of the plurality of containers to a component of thesoftware-defined control system. As described above, in someembodiments, one or more of the plurality of containers may correspondto a level of a hierarchical structure of the process plant.

In embodiments, the method may also include executing a service withinat least one of the plurality of instantiated containers. The servicemay comprise, for example, an I/O server service, a controller service,an historian service, a distributed alarm subsystem service, adiagnostic subsystem service, a third-party service, or a securityservice. Moreover, pinning a first container to a component of the SDCSmay include pinning the container to another container, which may itselfbe instantiated within the first container, or in which the firstcontainer may be instantiated.

The component to which the container is pinned may be a power supplysupplying power to one or more data clusters or a portion of a datacluster, or may be any of a data cluster, a compute node of the datacluster, a server rack within the data cluster, a server, a specificprocessor, or a specific processor core within a processor. Thecomponent may alternatively be an I/O server container in which an I/Oserver service is executing, may be a process control field device, ormay be a physical I/O interface. In embodiments, the method may includeinstantiating redundant container structures pinned to different nodes,servers, power supplies, processors, or processor cores.

FIG. 15 is a block diagram of an I/O subsystem or I/O network 500including containerized services for implementing control of a portionof a process in an area 501 and of a portion of a process in an area 502of the plant 10 shown in FIG. 1 . The I/O subsystem 500 may be part of,and/or connected to, the I/O gateway 40 and SDCSs 100/200 shown in FIGS.1 and 2 .

Regarding the term “I/O network,” generally speaking, the network formedby one or more controllers or controller services (e.g., containerized),the field devices communicatively connected to the one or morecontrollers or controller services, and the intermediary hardware orsoftware nodes (e.g., I/O server services, I/O cards, etc.) facilitatingcommunication between the controllers or controller services and fielddevices may be referred to as an “I/O network” or “I/O subsystem.”

At a high level, the I/O subsystem 500 includes: (i) an I/O serverservice (sometimes “I/O service” or just “service”) 511 a for the area501 and (ii) an I/O service 511 b for the area 502. Note, while themajority of the description below focuses on the configuration andoperation of the I/O service 511 a, it will be understood that the I/Oservice 561 a may be similarly configured to provide similarfunctionality with respect to entities used to implement control of theprocess equipment in the area 502.

The I/O service 511 a is a software service implemented at any suitablecomputing device or node. The service 511 a may be thought of as aplatform, application, or suite of applications that provides I/Ofunctions (e.g., over a link or network) relating to the I/O subsystem500 for various routines, modules, services, containers, devices, ornodes in the plant 10. For example, a field device (or I/O card coupledto a field device) may interact with the I/O service 511 a by: (i)receiving, from the service 511 a, controller outputs such as commandsto actuate a field device, and/or (ii) transmitting to the I/O service511 a field device outputs, such as measured process parameters orindices generated or calculated by the field device. Further, acontroller service may interact with the I/O service 511 a by: (i)providing the I/O service 511 a controller outputs (e.g., carryingcommands), and/or (ii) receiving, from the I/O service 511 a, controllerinputs (e.g., the field device outputs representing, for example,measured process parameters). Communication between the I/O service 511a and the entities it serves (e.g., field devices, controller servers)may be implemented using any suitable communication model, such as apush model in which the I/O service 511 a is publisher and field devicesand/or controller services are subscribers; or in which the I/O service511 a is a subscriber and field devices and/or controller services arepublishers. Likewise, a pull model may be used in which the I/O service511 a is requester and field devices and/or controller services respondto the request; or in which the I/O service 511 a responds to requestsfrom the field devices and/or controller services. If desired, a hybridmodel may be used in which the I/O service 511 a performs a differentcommunication role with the field devices (e.g., publisher, subscriber,requester, responder, etc.) than it does with the controller services.

In any event, during example operation, the I/O service 511 a receivesmultiple sets of controller outputs from a plurality of containerizedcontroller services each implementing the same control routine forcontrolling the area 501. In a typical example, the service 501 passes asingle “active” set of the controller outputs (i.e., the outputs from aparticular one of the containerized controller services) to the relevantfield devices to control the area 501. Further, the other “inactive”sets of controller outputs are not forwarded to the relevant fielddevices. The I/O server service 561 a is similarly configured withrespect to the area 502, capable of handling multiple sets of controlleroutputs, including an “active” set of controller outputs and one or more“inactive” sets.

At a high level, the I/O service 511 a acts as an intermediary between:(i) a set of field devices 531 (e.g., including pumps, valves, and otheractuating devices) which perform some physical control action in theplant, a set of field devices 532 (e.g., including sensor-based fielddevices) that operate as transmitters to measure and transmit processvariables in the plant, as well as, potentially, a set of field devices533 that encapsulate a set of microcontainers that perform “custom”algorithms (such a spectral processing microcontainer relevant forspectral processing within a spectrometer device, or an image processingmicroservice for a device with a camera attached) and which produce andtransmit processed I/O data for particular uses (which may be control ormaintenance uses) and (ii) one or more containerized controller services521 a-c each running instances 525 a-c of the same control routine #1(e.g., the same configured control routine service #1) to control thesame set of field devices 531 and 532 to thereby control the area 501.While the field devices 531 are shown as actuating field devices thatare distinct from the field devices 532 that function as transmitters(e.g., of measured process parameters) which are distinct from the fielddevices 533 which include custom algorithm or custom microcontainers toprocess or manipulate process variable data, for the sake of simplicity,it will be appreciated that the described field devices may be capableof any or all of actuating a control element (e.g., a valve stem) tomanipulate a process variable, measuring and transmitting measured orcalculated field device or process variables and processing ormanipulating collected process data or other measurements andtransmitting the processed or manipulated data For example, a smartvalve positioner may be configured to receive a command to actuate thevalve and to transmit measured flow, detected valve position, healthindices regarding the valve's health, and to process collected imagedata from a camera on the valve positioner to detect a broken valve andto transmit that processed or collected data, etc.

In some embodiments, the I/O service 511 a is not containerized.However, if desired, the I/O service 511 a is containerized in an I/Oserver container (sometimes “I/O container”) 505 a. In variousembodiments, the I/O subsystem 500 includes multiple I/O containers 505a-c. Each of the I/O containers 505 a-c receives the same inputs (e.g.,from the controller services and field devices), generates the sameoutputs (e.g., to the field devices and controller services), andimplements the same logic (e.g., for evaluating which containerizedcontroller service should be active, for handling transitions betweencontroller services, etc.). Accordingly, when multiple I/O servercontainers 505 a-c are implemented, a single one of the I/O servercontainers 505 a-c may be designated as “active.” For example, by way ofsolid and dotted lines, FIG. 15 indicates that the I/O container 505 ais “active” and that the I/O server containers 505 b and 505 c are“inactive.” In such an example, the I/O container 505 a forwards trafficto controller services and field devices, but the containers 505 b and505 c do not. One might say that, in an embodiment, all containers(including “inactive” containers) receive the same I/O data, but only“active” containers transmit I/O data that is received and acted on bycontroller services and field devices.

In some instances, the inactive I/O containers do not transmit traffic.In other instances, each of the I/O containers 505 a-c transmits I/Otraffic (including the inactive I/O containers), but a switch interceptsthe traffic and only forwards the traffic to its destination iftransmitted from the “active” I/O server container. In some instances,“inactive” I/O server containers may transmit data to other containersdespite not actively functioning as an intermediary I/O server betweenfield devices and controller services. For example, an “inactive” I/Oserver container may participate in load balancing operations bytransmitting I/O traffic (e.g., controller inputs, controller outputs,etc.) to a historian or historian container, a user workstation orworkstation container, to other plants or external networks, etc.Accordingly, the “inactive” I/O server(s) can alleviate the “active” I/Ocontainer from “wasting” processing power or networking capacity onperforming such functions. This may be especially advantageous if theI/O containers 505 a-c are distributed across more than one physicalmachine. Each I/O container 505 a-c may be implemented at one or morephysical servers such as those shown in FIGS. 16 and 17 .

As noted, the containerized controller services 521 a-c each run arespective instance 525 a-c of the same control routine #1, withincontainers 515 a-c respectively, to control the same set of fielddevices 531 and 532 and to thereby control the area 501. In someembodiments, the control routine #1 may be implemented as one or moreconfigured control routine services and/or one or more configuredcontrol function block services, for example. The containers 515 a-c maybe implemented on any suitable computer device, node, or computingcluster. In some instances, one or more of the containers areimplemented at computing devices in the plant environment near the fielddevices the corresponding controller services are configured to control.In some instances, the devices implementing the containers may be rackmounted and may have a form factor or housing similar to that typicallyfound for a physical process controller. In other instances, thecontroller service containers are implemented by servers or computers ata different location in the plant, at a control room, at a data center,at a computing cluster, at a remote site, etc. Put simply, as long asthe containerized controller services can establish a suitable networkconnection with the field devices they are controlling (e.g., via an I/Oserver service such as the service 511 a), the containerized controllerservices may be implemented on any suitable hardware at any suitablelocation.

As noted, each of the containerized controller services 521 a-crepresents the same conceptual controller implementing the same controlroutine #1 (each configured to read from and write to the same tagsassociated with the same field devices). At any given time, two of thethree containerized controller services 521 a-c may be thought of asduplicates or as redundant controller services to the “active”containerized controller service. Generally speaking, each “controllerservice” represents a software platform or infrastructure analogous tothat which might be found in hardware controllers. Each controllerservice is configured to recognize and execute control routines, whichoften have specialized and expected data formats and structure (e.g., asdefined by configured control module services which have been in turnconfigured with control function block services). A controller servicemay be thought of as a layer between the container running on thephysical device and the top-level application (e.g., the controlroutines). To that end, a “controller service” may be thought of asanalogous to an operating system, implemented within a container at acomputing device, to enable the container and computing device toproperly recognize and execute control routines. In some instances, acontroller service may be, or may include, an emulator that emulates aparticular hardware model of a physical process controller.

A control routine or control module is a set of instructions, executableby a processor, for performing one or more operations to provide orperform control of at least part of a process. Generally speaking, acontrol routine or control module may be understood as softwareconfigured to implement a particular control strategy, and may beimplemented within the SDCS 200 as a configured control module serviceexecuting in its container. A control routine or control module mayinclude one or more interconnected control function blocks associatedwith various functions. These function blocks may be objects in anobject-oriented programming protocol that perform functions within acontrol scheme based on inputs thereto, and may provide outputs to otherfunction blocks within the control scheme. In an embodiment, a controlfunction block may be implemented within the SDCS 200 as a configuredcontrol function block service executing in its container. Moregenerally, a control routine represents logic that is executed based onone or more controller inputs (e.g., measured process variables, such astemperature, pressure, flow, etc.) to produce one or more controlleroutputs (e.g., commands to manipulate a field device such as a controlvalve). The controller outputs may cause the manipulation of a processinput, such as the aforementioned valve position (such process inputsmay also be referred to as “manipulated variables”) to change or drive aprocess output (which may be referred to as a “controlled variable” orsimply a “process variable”). The controlled variable may be anysuitable variable the control routine attempts to control. Sticking withthe previous example, the control valve position may be manipulated onan inlet valve to open the inlet valve and increase a level in the tank(the level being the controlled variable here). In many cases, thecontrolled variable is measured and returned to the control routine as acontroller input. The control routine may also accept as an input adesired value for the controlled variable (i.e., a setpoint), which maybe provided by a user or a control routine (e.g., the same controlroutine or a different control routine). While FIG. 15 does notexplicitly show setpoints as inputs for any of the control routineinstances 525 a-c or 575 a-c, one will appreciate that each described orshown control routine instance may receive a setpoint.

Staying with FIG. 15 , during typical operation, the I/O service 511 areceives a process output (sometimes “field device output”) or a set ofprocess outputs from the field device 532 via an I/O channel 542 a or aset of processed data from the field device 533 via an I/O channel 542b. The process output may be any suitable process variable, and maycarry a detected or calculated value (e.g., indicating a tank levelvariable LT004 has a value of 20% full). The I/O service 511 a passesthe process output to each control routine instance 525 a-c as acontroller input via the I/O channels 543 a-c. That is, each of the I/Ochannels 543 a-c are assigned the same variables or set of variablescarrying the same values or set of values (e.g., indicating LT004=20%).

The control routine service instances 525 a-c receive the controllerinputs and generate controller outputs (e.g., a command to open an inletvalve to 75% open) based on the values of the controller inputs (e.g.,LT004=20%) and the logic of the control routine (e.g., indicating thattank should be filled to a higher level). The controller services 521a-c transmit the controller outputs, via the I/O channels 544 a-crespectively, to the I/O service 511 a. Said another way, the I/Ochannel 544 a carries a set of outputs from the control routine instance525 a; the I/O channel 544 b carries a set of controller outputs fromthe control routine instance 525 b; and the I/O channel 544 c carries aset of controller outputs from the control routine instance 525 c. In atypical example, because the controller inputs typically are identicaland because the instances 525 a-c of the control routine #1 areidentical, the sets of controller outputs often are identical (e.g.,each I/O channel 544 a-c may carry a command to open the inlet valve to75%). With that said, if a control routine or network traffic iscompromised in some manner, the various sets may differ. Accordingly,the I/O service 511 a may implement various error checks on the receivedsets. In some instances, the I/O service may perform a consensusanalysis or best of “n” voting scheme to select a set. For example, ifthe first two sets received by the service 511 a differ, the service 511a may select one of the two to forward based on which of the tworeceived sets matches a third set received by the service 511 a.

More specifically, the I/O service 511 a analyzes the received sets ofcontroller outputs and/or metadata associated with each set ofcontroller outputs. Specifically, a QoS metric for each set may beanalyzed, and the set having the best QoS metric may be determined byeither the I/O service 511 a or by some other service (e.g., anorchestrator service) to be the “active” set of controller outputs. TheQoS metric may be any desired metric for analyzing a quality of serviceprovided by the containerized controller services, such as latency,accuracy, message rate, etc. The routine, service, container, and I/Ochannel corresponding to the “best” QoS metric may be designated(explicitly or implicitly) as “active.” In an embodiment, a singlecontrol routine service instance 525 a-c, a single controller service521 a-c, a single container 521 a-c, and a single I/O channel 44 a-c maybe considered “active” at a given time. The remaining control routineservice instances 525 a-c, controller services 521 a-c, containers 521a-c, and I/O channels 544 a-c may be designated or considered“inactive.” The I/O service 511 a forwards the set of controller outputsfrom the “active” container and controller service to the field device531 via the I/O channel 540. The sets of controller outputs from the“inactive” containers are not forwarded to the field devices, thoughthey may be forwarded to other containers and/or services (e.g., to adata historian) for other purposes (e.g., to optimize use of computerand/or network resources).

Staying with FIG. 15 , the dotted lines indicate which routines,services, containers, and channels are inactive. As shown, the container515 c, the controller service 521 c, the routine service 525 c, and theI/O channel 544 c are “active,” meaning the controller outputs generatedby the routine service instance 525 c and passed to the I/O service 511a are forwarded by the I/O service 511 a to the field device(s) 531 viathe I/O channel 540. By contrast, the containers 515 a and b, thecontroller services 521 a and b, the routine services 525 a and b, andthe I/O channels 544 a and b are “inactive.” As a result, the I/O serverservice 511 a does not forward controller outputs from the routineservices 525 a and b to the field device(s) 531.

As previously noted, the I/O server service 561 a facilitates control ofthe area 502 in a manner similar to that described regarding the I/Oservice 511 a and the area 501. For example, the service 561 a acts asan intermediary node between: (i) a set of field devices 581 and 582 and583 and (ii) containerized controller services 571 a and 571 b runninginstances 575 a and 575 b of the same control routine #2, respectively,to control the same set of field devices 581 and 582 and 583 to therebycontrol the portion 502 of the plant 10. The I/O server service 561 amay evaluate the containerized controller services, select one “active”service, and utilize the controller output(s) from the active service tocontrol the set of field devices (thereby implementing control on theprocess).

It will be appreciated that the containers shown in FIG. 15 may bedistributed across physical resources at the plant 10 or elsewhere inany desired fashion. For example, the containers 515 and 505 for thearea 501 may be implemented at computers near or within the area 501,and the containers 555 and 565 for the area 502 may be implemented atcomputers near or with the area 502. However, some or all of thecontainers 505 and/or 515 may be implemented at the computers near or inthe area 502, and/or some or all of the containers 555 and/or 565 may beimplemented near or in the area 501 if desired. Or, any one or more ofthe aforementioned containers may be implemented at computers in otherareas of the plant 10, or at an off-site location that is remote to theplant 10 (which may be especially useful for ensuring seamlesstransition in the case of power outages or other failures at the plant10). Further, none of the aforementioned containers are necessarilypermanently fixed or pinned to whatever computer cluster or node/serverthey happen to be executing on at any given time. Containers may bedynamically (e.g., in or near real-time, during execution) instantiated,deleted, and re-instantiated at different computers when desired tobalance computing and network loads and to eliminate computational ornetworking inefficiencies (e.g., when a given physical resource becomesoverly burdened computationally or by network traffic). Further, thetotal instances of a given container can be dynamically reduced orincreased as needed. For example, if the physical resources implementingthe controller containers 565 a and 565 b appear to become overlyburdened, a third controller container for the controller #2 servicemight be instantiated at a new computer or physical resource (and, ifdesired, the third container may be activated). The I/O server service561 a can then continue monitoring the three containers for thecontroller #2 service, and can continuously activate the best performingcontainer at any given time. This “juggling” between containers may behelpful if the computational and network workloads for the physicalresources are highly variable. Each controller service may becontainerized in its own dedicated container, thereby providing arelatively isolated, consistent, and predictable environment withinwhich each controller service is implemented, regardless of the broadersoftware environment present on the node implementing the containers.For example, a container may include software dependencies and softwarelibraries needed for a given controller service. Without containers, itmight be necessary to properly configure every single node on which thecontroller service might run in order to ensure consistent environmentsfor the controller service. And if a given node needs to be capable ofimplementing various different types of services (which may havedifferent environmental requirements), ensuring proper configuration ofthe node can become complex. By contrast, the described controllerservice containers enable each controller service to easily beinstantiated at any given node and to be easily moved betweennodes/servers or computing clusters.

Further, it is noted that although the above discussion refers tocontroller service containers which may be instantiated at any givennode and moved between nodes/servers or computing clusters, the conceptsand techniques may be easily applied to other type of control services235, such as control module services and/or control function blockservices. For example, multiple instances of a configured controlfunction block service may be instantiated on different processor coresand moved among different process cores or even different processors,and the active I/O server may select one of the multiple instances ofthe configured control function block service and may provide the outputof the selected instance of the configured control function blockservice to each of a plurality of instances of a configured controlmodule service for operation thereon. Similarly, the active I/O servermay select one of the plurality of instances of the configured controlmodule service, and may provide the output of the selected instance ofthe configured control module service to each instance of the configuredcontroller service.

In any event, it will also be appreciated that, with reference to FIG.15 , each I/O channel 540-544 c and 570-574 b may be configured to carrya particular variable or set of variables. For example, the field device531 may be a valve, and the I/O channel 540 may be configured to alwayscarry a control valve command (e.g., representing a desired valveposition). In some instances, one or more I/O channels are configured tocarry a particular primary variable (e.g., a desired valve position) andone or more secondary variables (e.g., a valve health index, a detectedvalve position, a measured flow, measured strain on an actuator, etc.).In any event, one might, for example, refer to the I/O channel 540 asthe controller output 540.

FIG. 16 is a block diagram of a computer cluster 601, including multiplenodes or physical resources (e.g., computers, servers, networkingequipment, etc.), on which any one or more of the various containers,microcontainers, services, and/or routines described herein may beimplemented, dynamically assigned, and load balanced to optimizecomputer resource usage and performance. Specifically, the cluster 601may include physical servers 602 and 604 configured to implement any oneor more of the containers 515, 505, 555, and/or 565 shown in FIG. 15 .

Each of the servers 602 and 604 may be any suitable computing deviceincluding, for example, a processor, a memory, and a communicationinterface, and each may be disposed at any suitable location within oroutside the plant 10. For example, FIG. 17 depicts an example embodiment700 of the server 602 (sometimes referred to as the system/server/device700). As shown, the server 700 includes a processor 702, a memory 704,and a communication interface 706. The components of the server 700 maybe housed in any suitable housing (not shown).

While shown including a single processor 702, in various embodiments theserver 700 may include multiple processors 702. In this example, theprocessor 702 may implement the container 505 a, the I/O server service511 a, and/or the I/O logic 711 (e.g., including the logic forperforming the I/O server operations or functions described herein). Theprocessor 702 may also implement other containers 715 (e.g., any of theother containers shown in FIG. 1, 2, 15 , or 16). If desired, any numberof containers 505 and/or 715 may be instantiated and implemented at theserver 700 (e.g., during run-time during load balancing operations).

The memory 704 may store software and/or machine-readable instructions,such as the containers 505 and 715 that may be executed by the processor702. The memory 704 may include volatile and/or non-volatilememory(-ies) or disk(s) including non-transitory computer readable media(“CRM”) for storing software and/or machine-readable instructions.

The server 700 includes one or more communication interfaces 706configured to enable the server 700 to communicate with, for example,another device, system, host system, or any other machine. Thecommunication interface 706 may include a network interface that enablescommunication with other systems via one or more networks (e.g.,enabling the server 700 to communicate with the server 604). Thecommunication interface 706 may include any suitable type of wiredand/or wireless network interface(s) configured to operate in accordancewith any suitable protocol(s). Example interfaces include a TCP/IPinterface, a Wi-Fi™ transceiver (according to the 119E 802.11 family ofstandards), an Ethernet transceiver, a cellular network radio, asatellite network radio, a coaxial cable modem, a wireless HART radio,or any other suitable interface implementing any desired communicationprotocol or standard.

Returning to FIG. 16 , either of the nodes or servers 602 or 604 mayinclude similar components as the server 700 shown in FIG. 17 . As shownin FIG. 16 , the containers 505 and 515 are distributed across theservers 602 and 604. Note, the controller services 521 may beconceptually referred to as a single “controller.” That is, when someonerefers to “controller #1,” they are referring to the group of containers515 implementing the controller services 521, which are in turn eachexecuting instances 525 of the same control routine service #1 forcontrolling the same set of equipment. Because an orchestrator and/orthe I/O server service 511 a may dynamically change the number ofcontainerized controller services 521 in existence, and because they maydynamically change which containerized controller service 521 is activeat any given time, and because they may change which physical serversimplement the containerized controller services 521 at any given time, areference to “controller #1” does not necessarily reference any fixedparticular device or container. Perhaps better said, the particulardevice and particular container that represent “container 1” may differat various times depending on various load balancing operations anddecisions made by the I/O server service 511 a and by an orchestratorservice. In any event, the containers and servers shown in FIG. 16 maybe distributed across physical resources and locations at the plant 10in any desired manner.

The field devices 631 may communicate with any one or more of thecontainers 505 and/or 515 in the same manner as that describedreferencing field devices 531 and 532 shown in FIG. 15 , and may beconfigured in a similar manner. As shown in FIG. 6 , the field devices631 may communicate with the cluster 601 via physical I/O modules orcards 614 and a network switch 612.

The I/O modules or cards 614 each may be any suitable I/O card(sometimes called “I/O devices” or “I/O modules”). The I/O cards 614 aretypically located within the plant environment, and function asintermediary nodes between controller services and one or more fielddevices, enabling communication there between. Field device inputs andoutputs are sometimes configured for either analog or discretecommunications. In order to communicate with a field device, acontroller or controller service often needs an I/O card configured forthe same type of input or output utilized by the field device. That is,for a field device configured to receive analog control signals (e.g., a4-20 ma signal), the corresponding controller or controller service mayneed an analog output (AO) I/O card to transmit the appropriate controlsignal. And for a field device configured to transmit measurements orother information via an analog signal, the controller or controllerservice may need an analog input (AI) card to receive the transmittedinformation. Similarly, for a field device configured to receivediscrete control signals, the controller or controller service may needa discrete output (DO) I/O card to transmit the appropriate controlsignal; and for a field device configured to transmit information via adiscrete signal, the controller or controller service may need adiscrete input (DI) I/O card. Generally, each I/O card can connect tomultiple field device inputs or outputs, wherein each communication linkto a particular input or output is referred to as a “channel.” Forexample, a 120 channel DO I/O card can be communicatively connected to120 distinct discrete field device inputs, enabling the controller totransmit (via the DO I/O card) discrete control output signals to the120 distinct discrete field device inputs. In some instances, any one ormore of the I/O cards 614 is reconfigurable, enabling communication witha field device configured for any type of I/O (e.g., for AI, AO, DO, DI,etc.). Some field devices are not configured for communication via I/Ocards. Such devices may still be connected to the controller servicesshown in the I/O subsystem 500. For example, some field devicescommunicate with controllers or controller services via an Ethernet portand link. Some field devices communicate with controllers or controllerservices via any suitable wireless protocol.

In any event, the I/O cards 614 communicate with the field devices 631via a given process control protocol (e.g., HART) and may communicatewith the cluster 601 via any other suitable protocol (e.g., TCP/IP). TheI/O cards 614 route messages to, and receive messages from, the networkswitch 612. The network switch 612 may be any suitable network switchconfigured to route or forward messages between the computer cluster 601and the field devices 631. In some instances, one or more of the I/Ocards 614 may implement microcontainers implementing I/O card services.Thus, if a particular I/O card device fails and is replaced by a new I/Ocard device, it can be loaded with the I/O card microcontainer andthereby be configured quickly in the same manner as the previous I/Ocard device. As an example, in this system, a physical I/O server couldhave an active I/O card and additionally have an inactive I/O card thatstands ready with the appropriate microcontainers instantiated toquickly take over in the event of a failure of the active I/O card. Theactive I/O card sends received input data from any connected device(s)to the backup I/O card in a similar fashion to how “active” and“inactive” I/O server containers operate as previously. Importantly, inthis case, both the ‘active’ and ‘inactive’ I/O cards (which could be,for example, a typical or known railbus cards or Emerson CHARM I/Ocards) must be physically connected to the logical I/O server in orderfor the ‘inactive’ card to take over as an ‘active’ card, and startreceiving I/O data from the logical I/O server. An example of amicrocontainer would be an extremely lightweight containerizationtechnique called a “jail,” which is a term of art known throughout theindustry whereby the operating system isolates a microservice into asandboxed environment.

In some instances, the network switch 612 may be containerized. Thecontainer may include the logic relied on by the switch 612. This logicmay include a routing table including routes to addresses for fielddevices, I/O cards (or I/O card containers), and/or controller services.The logic may include a forwarding table mapping such addresses to portsof the switch (e.g., with or without knowing the route to reach theaddress). By containerizing the logic of the switch, the network switch612 may be instantiated at any desired and suitable hardware, enablingswitch hardware to be quickly configured and reconfigured for anydesired switch/routing operation (e.g., in case the physical device forthe network switch 612 is replaced).

In an embodiment, any suitable container, microcontainer, or I/O may beassigned to the computer cluster 601 and may be dynamically assigned to,and instantiated at, either the server 602 or the server 604 dependingon resource availability. This dynamic load balancing and resourceallocation enables the control system to swiftly respond to changingprocessing loads, resource availability, network constraints, etc.,without losing functionality.

Note, while not explicitly shown, the I/O subsystem 500 may includephysical I/O cards and/or one or more network switches (e.g., similar tothose shown in FIG. 16 ) that serve as intermediaries between the fielddevices (531, 532, 581, 582) and I/O server services 511 a and/or 561 a.

In an embodiment, when physical or logical assets are connected to thesystem, the I/O server service 505 will automatically resolve andcommission these assets as soon as they are discovered by the DiscoveryServices. For example, a field device may have a field device identifierunique to that field device, and the control system may be configured tolink the field device to one or more variable tags (e.g., representingcommands the field device is configured to receive and/or representingparameters the field device is configured to transmit) based on thefield devices unique ID. Using this unique identifier, the field devicemay be disconnected and reconnected to the control system, and thecontrol system may automatically route communications between the fielddevice and the controller services that rely on the field deviceregardless of which hardware has instantiated and implemented thecontroller services and regardless of where that hardware isgeographically located. Each container may likewise have a uniqueidentifier that enables routing between the appropriatecontainers/services regardless of which particular hardware hasinstantiated the containers and regardless of where that hardware isgeographically located.

FIG. 18 is a flow chart of a method 800 for implementing an I/O serverservice, such as one of those shown in FIGS. 15-17 . The method 800 maybe implemented, in whole or in part, by the SDCSs 100/200 and/or I/Ogateway 40 shown in FIGS. 1 and 2 and, more particularly, by the I/Oserver services 511/61 shown in FIGS. 15-17 . Accordingly, the method800 may be saved to a memory as one or more instructions or routines(e.g., to the memory 704 shown in FIG. 17 ). For ease of explanation,the description of FIG. 18 refers to the service 511 a of system 15 asimplementing the method 1800.

The method 800 begins at a step 805 when a set of field device orprocess outputs 542 a and 542 b are received by the I/O server service511 a. For example, I/O server service 511 a may receive, from the fielddevice 532, a measured flow of 10 gallons per minute (gpm) for avariable FT002.

At a step 810, the I/O server service 511 a generates a plurality ofsets of controller inputs (e.g., carried via I/O channel 543) eachcorresponding to the received set of process outputs received via theI/O channels 542 a and 542 b such that each set of controller inputscarries a same set of values as every other set in the plurality of setsof controller inputs. Sticking with the last example, each set ofcontroller inputs may carry the same FT002 parameter with the same value(e.g., 10 gpm). To illustrate, the I/O server service 511 a may generatea first set of controller inputs from the set of process outputs (e.g.,the channel 543 a may be the first controller input for the controllerservice 521 a, may represent the parameter FT002, and may carry thevalue of 10 gpm). Similarly, the I/O server service 511 a may generate asecond set of controller inputs from the set of process outputs (e.g.,the channel 543 b may represent a second controller input for thecontroller service 521 b, may similarly represent the parameter FT002,and may carry the same value 10 gpm).

At a step 815, the I/O server service 511 a transmits each set ofcontroller inputs (e.g., the sets 543 a-c) to a different one of theplurality of controller services 521 a-c. As shown in FIG. 15 , eachcontroller service 521 a-c implements a different instance of the samecontroller routine #1 (including instances 525 a-c). Because the controlroutines are each an instance of the same routine, they are allconfigured to generate the same set of controller outputs (e.g., thesame set of command variables) to control the same portion 501 of theprocess plant 10 via the field devices 531 and 532 based on the same setof values for the same set of controller inputs. Note, any desirednumber of containerized controller services may exist, and a set ofcontroller inputs (each carrying the same parameter(s) and value(s)) mayf9d each containerized controller service.

At a step 820, the I/O server service 511 a receives a plurality of setsof controller outputs via the I/O channels 544 a-c, each set from adifferent one of the plurality of controller services 521 a-c.

At a step 825, the I/O server service 511 a analyzes the plurality ofsets of controller outputs received via the I/O channels 544 a-c and/ormetadata associated with the sets (e.g., latency information).Specifically, a QoS metric for each set may be analyzed, and a sethaving the best QoS metric may be identified. The QoS metric may be anydesired metric for analyzing a quality of service provided by thecontainerized controller services, such as latency, accuracy, etc.

At a step 830, the I/O server service 511 a selects an active set ofcontroller outputs based on the analysis. In an embodiment, the I/Oserver service 511 a activates the active set of controller outputsbased on the analysis. For example, the service 511 a may activate theset 544 c based on QoS metrics associated with each container 515 a-c.The service 511 a may select the container or controller service withthe lowest latency, for example. In an embodiment, the service activatesa given container, server, or channel after some sort of consensus hasbeen formed. For example, it may activate the first container, server,or channel for which a second container provides the same values for theset of controller outputs 544 a-c. In an example, the service 511 aactivates a container/controller service/channel using a best out of “n”voting scheme. In an embodiment, another service, such as anorchestrator service, performs the step 830 instead of the service 511a.

In some instances, the I/O server service 511 a may confirm the statusof any one or more of the controller outputs 544 a-c (e.g., before orafter selecting an active container). For example, the service 511 a mayverify that the outputs have been recently updated and are not stale.This may be done, at least in part, by cross-checking at least one set544 a-c of the outputs with another of the sets 544 a-c.

At a step 835, the I/O server service 511 a transmits the active set ofcontroller outputs (e.g., including a command to open or close a valve)to the field devices 531 to drive a process output (e.g., flow ratedependent on the status of the manipulated valve) of the industrialprocess to thereby control the particular portion 501 of the industrialprocess.

The I/O server service 511 a may condition signals carrying controllerinputs or controller outputs in any suitable manner before it relays thecontroller inputs or outputs from a field device to a controller service(or vice versa). The I/O server service 511 a may implement analogconditioning techniques and/or digital signal conditioning techniques.Example analog signal conditioning techniques that may be implemented bythe I/O server service 511 a include filtering, amplifying, scaling, andlinearization techniques. Example digital conditioning techniques thatmay be implemented by the I/O server service 511 a include unitconversion, enumeration, encoding, and adding or editing a status valueto a signal. A characterizer or linearization function may beimplemented by the I/O server service 511 a during either analog ordigital conditioning.

FIG. 19 is a flow chart of a method 900 for evaluating and transitioningbetween containerized controller services (or corresponding I/Ochannels), such as one of those shown in FIGS. 15-17 . The method 900may be implemented, in whole or in part, by the SDCSs 100/200 and/or I/Ogateway 40 shown in FIGS. 1 and 2 and, more particularly, by the I/Oserver services 511/61 shown in FIGS. 15-17 . Accordingly, the method900 may be saved to a memory as one or more instructions or routines(e.g., to the memory 704 shown in FIG. 17 ). For ease of explanation,the description of FIG. 19 refers to the service 511 a of system 15 asimplementing the method 1900.

At a step 905, the I/O server service 511 a receives process controltraffic via a plurality of I/O channels 544 a-c.

At a step 910, the I/O server service 511 a identifies a first I/Ochannel (e.g., 544 c) that is active. As shown in FIG. 5 , the service521 c and the I/O channel 544 c are active, while the services 521 a/band the I/O channels 544 a/b are inactive. In an embodiment, the I/Oserver service 511 a activates the active service 544 c.

At a step 915, the I/O server service 511 a uses process control trafficfrom the active I/O channel 544 c to control one or more field devices.For example, consistent with the description of the method 800, theservice 511 a may pass the received control traffic (e.g., includingcontroller outputs or commands) to the field device via an I/O channel540.

At a step 920, the I/O server service 511 a evaluates a QoS metric foreach I/O channel 544 a-c from the controller services. As already noted,the QoS metric may be any desired metric for analyzing a quality ofservice provided by the containerized controller services, such aslatency, accuracy, etc.

At a step 925, the I/O server service 511 a determines whether thehighest or best QoS metric corresponds to an inactive channel or not. Ifit does not (i.e., if it corresponds to the currently active I/O channelor controller container), the I/O server service 511 a maintains thecurrently active I/O channel (step 930) and returns to the step 910.Alternatively, if the highest or best QoS metric corresponds to anactive channel, the I/O server service 511 a may designate the inactivechannel with the highest or best QoS as the active I/O channel at a step935. The I/O server service 511 a then returns to the step 910.

In an embodiment, each controller service tracks where each controlroutine is in the process of executing the control routine. For example,the control routine may be broken up into phases or stages, enabling thecontrol routines to be synchronized for a transition between controllerservices. In an embodiment, the controller services execute in lockstepor relative lockstep. For example, each controller service may stopafter executing a given stage or phase and may wait until the othercontroller services (or a threshold number of container services) havefinished executing the same given stage before beginning the next stateor phase of the control routine. This “lockstep” execution may bebeneficial in situations where process safety is a concern.

As mentioned above, referring to FIG. 2 , the SD networking service 220may administer and manage the logical or virtual networking utilized bythe logical process control system 245, which may be implemented by theSD networking service 220 across the physical nodes 208. The SDnetworking service 220 may deploy and manage instances of networkappliances, such as virtual routers, virtual firewalls, virtualswitches, virtual interfaces, virtual data diode, etc., and instances ofnetwork services, such as packet inspection services, access controlservices, authorization services, authentication services, encryptionservices, certificate authority services, key management services, etc.,in the SDCS 200. The network services may be implemented as services ormicroservices.

Additionally, the SD networking service 220 may nest containersexecuting the security appliances/services within other containersexecuting other types of services. For example, the SD networkingservice 220 may nest a security container within a control container toperform security services related to the control functionality. The SDnetworking service 220 may also nest containers executing the securityappliances/services within other containers executing securityappliances/services. For example, the SD networking service 220 may nesta firewall container and a smart switch container within a routercontainer.

Furthermore, the SD networking service 220 may deploy N redundantinstances of containers executing the security appliances/serviceswithin the SDCS 200. For example, the SD networking service 220 maydeploy a first instance of a firewall container to receive incoming datapackets and transmit outgoing data packets and a second instance of thefirewall container to receive the incoming data packets and transmitoutgoing data packets. The SD networking service 220 may deploy both thefirst and second instances of the firewall container to receive incomingdata packets from the same source (e.g., a control service). However,while the first instance of the firewall container may transmit theoutgoing data packets to a remote system outside of the SDCS 200, the SDnetworking service 220 does not configure the second instance of thefirewall to transmit the outgoing data packets to the remote system.Instead, the SD networking service 220 may configure the second instanceof the firewall to transmit the outgoing data packets to a monitoringsystem within the SDCS 200 or to transmit indications of how theincoming data packets were handled to the monitoring system within theSDCS 200. In this manner, the SD networking service 220 may monitor ifthe firewall functionality is performing properly.

FIG. 20 illustrates a block diagram of example containers, services,and/or subsystems which are related to network security. As shown inFIG. 20 , the SDCS includes a container executing a networking service1002, similar to the SD networking service 220 as shown in FIG. 2 . Thenetworking service 1002 deploys and manages a first instance of a routercontainer 1004 and a second instance of a router container 1006. Thefirst router container 1004 executes a first security service 1008 andthe second router container 1006 executes a second security service1010. The networking service 1002 may deploy the first router container1004 to connect to a first unit container 1012 having a first tankcontainer 1014 and a first control container 1016. The networkingservice 1002 may also deploy the first router container 1004 to connectto a first I/O server container 1018. In this manner, the first routercontainer 1004 may facilitate communications between the first unitcontainer 1012 and the first I/O server container 1018. The firstsecurity service 1008 may include a first set of security rules forrouting communications between the first unit container 1012 and thefirst I/O server container 1018.

The networking service 1002 may deploy the second router container 1006to connect to a second unit container 1020 having a first mixercontainer 1022 and a second control container 1024. The networkingservice 1002 may also deploy the second router container 1006 to connectto a second I/O server container 1026. In this manner, the second routercontainer 1006 may facilitate communications between the first unitcontainer 1020 and the second I/O server container 1026. The secondsecurity service 1010 may include a second set of security rules forrouting communications between the second unit container 1020 and thesecond I/O server container 1026.

The SDCS may also include a container executing a certificate authorityservice 1028. Additionally, the SDCS may include physical or logicalassets of the process plant 10 which may be utilized during run-time ofthe process plant 10 to control at least a portion of the industrialprocess, such as field devices, controllers, process control devices,I/O devices, compute nodes, containers, services (e.g., controlservices), microservices, etc. The physical or logical assets mayrequest digital certificates from the certificate authority service 1028to prove their authenticity when communicating in the SDCS, such aspublic key infrastructure (PKI) certificates. When a physical or logicalasset requests a certificate, the certificate authority service 1028obtains identification information for the physical or logical asset andverifies the identity of the physical or logical asset based on theidentification information. The certificate authority service 1028 thengenerates a certificate for the physical or logical asset that mayinclude a cryptographic public key or other identifier for the physicalor logical asset, an identifier for the certificate authority service1028, and a digital signature for the certificate authority service 1028to prove that the certificate has been generated by the certificateauthority service 1028. The certificate authority service 1028 providesthe certificate to the physical or logical asset which may use thecertificate for authentication purposes when communicating with othernodes or services within the SDCS. In some implementations, the otherservices may encrypt communications with the physical or logical assetusing the cryptographic public key for the physical or logical assetincluded in the certificate.

Also in some implementations, a user within the SDCS may request adigital certificate from the certificate authority service 1028, such asa plant operator, a configuration engineer, and/or other personnelassociated with the industrial process plant 10. When the user requeststhe digital certificate, the user may provide identificationinformation, such as the user's name, address, phone number, role withinthe industrial process plant 10, a username and password, etc. Thecertificate authority service 1028 may verify the identity of the userby for example, comparing the identification information obtained fromthe user to identification information for the user obtained from othersources. If the certificate authority service 1028 is able to verify theuser, the certificate authority service 1028 generates and provides adigital certificate to the user. In this manner, the user may providethe digital certificate to access nodes or services within the SDCS anddoes not have to enter login information. In some implementations, thecertificate authority service 1028 may include authorization informationfor the user in the certificate. The SDCS may assign the user anauthorization level based on the user's role within the industrialprocess plant 10. The certificate authority service 1028 may thengenerate different types of certificates for different authorizationlevels and/or roles within the industrial process plant 10. In thismanner, nodes or services which the user attempts to access maydetermine the user's authorization level and/or role within theindustrial process plant 10 based on the type of certificate that theuser provides. The node or service may then determine whether the useris authorized to access the node or service based on the user'sauthorization level and/or role within the industrial process plant 10.In some implementations, the user may have partial access to the node orservice based on the user's authorization level and/or role within theindustrial process plant 10. Accordingly, the node or service mayprovide the user with access to some portions of the node or service andprevent the user from accessing other portions of the node or service.

In some implementations, a user may be defined by a role which issecured by digital certificates. For example, a process manager role maycorrespond to a first authorization level having a first set of digitalcertificates which is distinct from an operator role which correspondsto a second authorization level having a second set of digitalcertificates.

While the security services 1008, 1010 are included in router containers1004, 1006 that facilitate communications between control services andI/O services in FIG. 20 this is merely one example implementation.Additionally or alternatively, security services may be nested incontainers executing other types of services, such as control services,I/O services, etc. FIG. 21 illustrates a block diagram of an additionalor alternative implementation of the SDCS in FIG. 20 . As shown in FIG.21 , in addition to deploying a first security service 1008 and a secondsecurity service 1010 within first and second router containers 1004,1006, respectively, the networking service 1002 deploys a third securityservice 1102 within a container (a security container) that executeswithin a first control container 1116 and a fourth security service 1104within a container (a security container) that executes within a secondcontrol container 1124. The third security container 1102 may havecontents which define security conditions, such as a set of securityrules. Additionally, the fourth security container 1104 may also havecontents which define security conditions, such as a set of securityrules which may be the same as or different from the contents of thethird security container 1102. The contents may also include controlstrategy for the corresponding control container such as control historyand storage.

In this manner, the third security service 1102 may include a third setof security rules that are specific to the first control container 1116that do not necessarily apply to other services or nodes connected tothe router container. Furthermore, the third security service 1102 mayencrypt data generated by the first control container 1116 before it istransmitted across a communication network. This may provide anadditional layer of security before the data reaches a router container.While the security services 1102 and 1104 are nested in controlcontainers in FIG. 21 , security services may be nested in any suitablecontainers, such as I/O server containers, operator workstationcontainers, etc.

FIG. 22 illustrates a detailed block diagram of the first routercontainer 1004 of FIG. 20 . The router container may include securityappliances or services nested within the router container. Additionally,each security appliance or service may include further services nestedwithin. The router container may include a first firewall container 1202executing a first security service 1204, a first data diode container1206 executing a second security service 1208, a first smart switchcontainer 1210 executing a third security service 1212, and a packetinspection service 1214.

The first security service 1204 may include a first set of securityrules for the first firewall container 1202, such as whitelists oraccept lists allowing data to be received/transmitted by predeterminednodes or services while preventing other connection types or ports. Thefirst set of security rules may only allow authorized traffic to betransmitted from the first router container 1004. For example, the firstsecurity service 1204 may prevent data from external sources to theprocess plant 10 from being sent to a control container.

The second security service 1208 may allow data traffic to egress fromthe SDCS to a remote system and may prevent data traffic (e.g., datathat is transmitted or sent from a remote system or other systems) fromingressing into the SDCS. Accordingly, the second security service 1208supports only unidirectional data flow from a virtual input port to avirtual output port via software, e.g., by dropping or blocking anymessages received at the virtual output port (e.g., from a remotesystem) and/or by dropping or blocking any messages addressed to thevirtual input port (e.g., addressed to nodes or services in the SDCSfrom a remote system). The second security service 1208 may also encryptdata that is transmitted from the SDCS to a remote system.

The third security service 1208 may determine a network address for anode or service intended to receive a data packet, and may transmit thedata packet to the node or service via the network address. For example,when a control container transmits data to an I/O server container viathe router container, the third security service 1208 identifies thenetwork address for the I/O server container and transmits the data tothe I/O server container via the network address. The third securityservice 1208 may assign network addresses to each of the nodes orservices connected to the router container and may determine the networkaddresses assigned to the nodes or services intended to receive datapackets.

The packet inspection service 1214 can identify a pattern of networkdata flows through the router container by inspecting packet contents asthey flow through the router container. The packet inspection service1214 can then use the known patterns of traffic to determine if aparticular service or node is experiencing out-of-norm behavior. Thepacket inspection service 1214 may then identify services or nodes asbeing suspect and may flag them to a user for action. The packetinspection service 1214 may also perform diagnostic actions to determinethe probable cause of the out-of-norm behavior. While the routercontainer in FIG. 22 includes a first firewall container 1202, a firstdata diode container 1206, a first smart switch container 1210, and apacket inspection service 1214 this is merely one example implementationfor ease of illustration only. The router container may include anysuitable security appliances and/or services.

In some implementations, the networking service may deploy firewallservices with each control service that runs within the SDCS. Thefirewall services may execute within containers that are nested incontainers that execute the corresponding control services. In otherimplementations, the firewall services execute within stand-alonecontainers assigned to the corresponding control services. As shown inFIG. 23 , the networking service deploys a first firewall container 1302to manage network traffic to and from a first control container 1304 anddeploys a second firewall container 1308 to manage network traffic toand from a second control container 1310. A control configurationdatabase 1306, which may be managed by the SD storage service 218, mayprovide a first control configuration to the first control container1304. The control configuration database 1306 may also provide a firstset of customized firewall rules to the first firewall container 1302for the assigned first control container 1304. Additionally, the controlconfiguration database 1306 may provide a second control configurationto the second control container 1310. The control configuration database1306 may provide a second set of customized firewall rules to the secondfirewall container 1308 for the assigned second control container 1310.In other implementations, a control configuration service communicateswith the control configuration database 1306 to provide controlconfigurations to the control containers 1304, 13 10 and to providecustomized firewall rules to the firewall containers 1302, 1308.

For example, the first set of customized firewall rules may include awhitelist or accept list that allows the first control container 1304 toreceive and transmit data to a first I/O server but does not allow thefirst control container 1304 to receive or transmit data to any othernodes or services. In another example, the first set of customizedfirewall rules may include a whitelist or accept list allowing the firstcontrol container 1304 to receive and transmit data to a particularnetwork address of a remote system external to the SDCS. In yet anotherexample, the first set of customized firewall rules may include awhitelist or accept list of services or nodes allowed to access datafrom the first control container 1304 and preventing services or nodeswhich are not included in the whitelist or accept list from accessingthe data from the control container. The customized firewall rules maybe dynamic in that the firewall containers 1302, 1308 may receivedifferent firewall rules from a control configuration service based onfuture changes to the configurations of the control containers 1304,1310.

As mentioned above, the security services described herein may includepacket inspection services, access control services, authorizationservices, authentication services, encryption services, certificateauthority services, key management services, etc. FIG. 24 illustrates adetailed block diagram of a security container 1404 nested within acontrol container 1402, similar to the configuration shown in FIG. 21 .The security container 1404 may include an encryption service 1406, anauthentication service 1408, and an authorization service 1410. In thismanner, the security container 1404 may encrypt data transmitted by thecontrol container 1402. The security container 1404 may alsoauthenticate and/or authorize physical or logical assets or usersattempting to access the control container 1402.

For example, when a physical or logical asset or user attempts to accessthe control container 1402, the authentication service 1408 may verifythe authenticity of the physical or logical asset or user attempting toaccess the control container 1402. For example, the authenticationservice 1408 may obtain a digital certificate issued by a certificateauthority from the physical or logical asset or user to verify theauthenticity of the physical or logical asset or user. The digitalcertificate may include a cryptographic public key or other identifierfor the physical or logical asset, an identifier for the certificateauthority service, and a digital signature for the certificate authorityservice to prove that the certificate has been generated by thecertificate authority service. In some implementations, theauthentication service 1408 analyzes the identifier for the certificateauthority service, and the digital signature for the certificateauthority service to determine whether the certificate has beengenerated by the certificate authority service. In otherimplementations, the authentication service 1408 transmits the digitalcertificate to a certificate authority service in the SDCS to determinewhether the certificate has been generated by the certificate authorityservice.

If the authentication service 1408 is able to verify the authenticity ofthe physical or logical asset or user, the authorization service 1410may determine the authorization level of the physical or logical assetor user. On the other hand, if the authentication service 1408 is unableto verify the authenticity of the physical or logical asset or user, theauthentication service 1408 may deny access to the control container1402.

In any event, the authorization service 1410 determines whether thephysical or logical asset or user is authorized to access the controlcontainer 1402 based on the authorization level of the physical orlogical asset or user. If the physical or logical asset or user has anauthorization level that meets or exceeds a minimum authorization levelfor accessing the control container 1402, the authorization service 1410determines that the physical or logical asset or user is authorized toaccess the control container 1402. Otherwise, the authorization service1410 may deny access to the control container 1402.

In some implementations, the authorization level of the physical orlogical asset or user is included in the certificate. Different types ofcertificates may indicate different authorization levels and/or roleswithin the industrial process plant 10. Accordingly, the authorizationservice 1410 may determine the authorization level for the physical orlogical asset or user based on the certificate. In otherimplementations, the authorization service 1410 obtains pre-storedauthorization levels for physical or logical assets or users from alogical storage resource and determines the authorization level for thephysical or logical asset based on the pre-stored authorization levels.In some implementations, the physical or logical asset or user may havepartial access to the control container 1402 based on the authorizationlevel. Accordingly, the control container 1402 may provide the physicalor logical asset or user with access to some portions of the controlcontainer 1402 and prevent the physical or logical asset or user fromaccessing other portions of the control container 1402.

In any event, in response to authenticating and authorizing a physicalor logical asset or user, the encryption service 1406 may encrypt datafrom the control container 1402 to the physical or logical asset or userusing the cryptographic public key included in the certificate. Thephysical or logical asset or user may then decrypt the data using thecryptographic private key paired with the cryptographic public key. Ifthe physical or logical asset or user does not have the cryptographicprivate key paired with the cryptographic public key, then the physicalor logical asset or user is unable to decrypt the data, which is anotherform of authentication.

Access control services may include the authorization or authenticationservices mentioned above as well as whitelists or accept lists, and/orother services allowing data to be received/transmitted by predeterminednodes or services while preventing other nodes or services fromreceiving or transmitting data in the process control network. A keymanagement service may store and/or access a record of the cryptographicpublic keys associated with each physical or logical asset in theprocess plant 10. In other implementations, the key management serviceretrieves the record of the cryptographic public keys from a discovereditem data store, as described in more detail below. Then when a physicalor logical asset needs to be authenticated, the physical or logicalasset provides its cryptographic public key to an authenticationservice. The authentication service may call upon the key managementservice to retrieve the record from the discovered item data store todetermine whether the provided cryptographic public key for the physicalor logical asset matches with the cryptographic public key included inthe discovered item data store.

The key management service may also store cryptographic private keysand/or PSKs for physical or logical assets in the process plant 10.Additionally, the key management service may store the certificates forphysical or logical assets in the process plant 10. The key managementservice may password-protect the keys and certificates and/or encryptthem so that a user or physical or logical asset must authenticateitself before gaining access to its respective keys or certificate.

In the example router container of FIG. 22 , the router container mayfacilitate communications between nodes or services within the SDCS orcommunications between a node or service within the SDCS and a remotesystem external to the SDCS. FIG. 25 illustrates a block diagram of anexample router container 1502 for facilitating communications between anode or service within the SDCS and a remote system external to theSDCS. The router container 1502 may include a field gateway container1504 executing a first encryption service 1506, a data diode container1508 executing a second encryption service 1510, and an edge gatewaycontainer 1512 executing a firewall service 1514 and an authenticationservice 1516.

The field gateway container 1504 may communicate with nodes or servicesin the field environment 12 of the process plant, such as processcontrol devices, field devices, control services, etc. For example, thefield gateway container 1504 may include a firewall service withfirewall rules to only allow traffic from nodes or services in the fieldenvironment 12 of the process plant. The field gateway container 1504may also execute a first encryption service 1506 to encrypt data fromthe field environment 12 of the process plant. The field gatewaycontainer 1504 may then transmit the data to the data diode container1508.

The data diode container 1508 may allow data traffic to egress from thefield gateway container 1504 to a remote system may and prevent datatraffic (e.g., that is transmitted or sent from a remote system or othersystems) from ingressing into the field gateway container 1504.Accordingly, the data diode container 1508 supports only unidirectionaldata flow from the field gateway container 1504 to the edge gatewaycontainer 1512 via software, e.g., by dropping or blocking any messagesreceived at the edge gateway container 1512 (e.g., from a remote system)and/or by dropping or blocking any messages addressed to the fieldgateway container 1504 (e.g., addressed to nodes or services in the SDCSfrom a remote system). The second encryption service 1510 may alsoencrypt the data from the field gateway container 1504 in addition or asan alternative to the first encryption service 1506. The data diodecontainer 1508 may then transmit the encrypted data to the edge gatewaycontainer 1512.

In some implementations, during instantiation, the data diode container1508 may temporarily allow handshaking (e.g., an exchange ofcertificates and pre-shared keys) between entities (e.g., the fieldgateway container 1504 and the edge gateway container 1512) transmittingincoming or outgoing data to/from the process plant 10 via the datadiode container 1508 to properly establish encrypted connections, suchas in a Datagram Transport Layer Security (DTLS) or othermessage-oriented security protocols. Once the DTLS handshake iscomplete, the connection is established, and from that point on the datadiode container 1508 only supports unidirectional data flow for theremaining duration of the data diode container 1508 for example, fromthe field gateway container 1504 to the edge gateway container 1512. Ifthere are connection issues between the entities on the input and outputends of the data diode container 1508, the data diode container 1508 mayneed to restart to allow for the DTLS handshake to take place again.

The edge gateway container 1512 may communicate with remote systemsexternal to the process plant 10. The edge gateway container 1512 mayinclude a firewall service 1514 with firewall rules to only allowtraffic from predetermined remote systems. The edge gateway container1512 may also execute an authentication service to authenticate a remotesystem communicating with the edge gateway container 1512. For example,traffic delivered from the edge gateway container 1512 to the remotesystem may be secured via an SAS (Shared Access Signature) Token, whichmay be managed through a token service provided at the remote system210. The edge gateway container 1512 authenticates the token service andrequests an SAS token, which may be valid for only a finite period oftime, e.g., two minutes, five minutes, thirty minutes, no more than anhour, etc. The edge gateway container 1512 receives and uses the SAStoken to secure and authenticate an AMQP (Advanced Message QueuingProtocol) connection to the remote system via which content data istransmitted from the edge gateway container 1512 to the remote system.Additionally or alternatively, other security mechanisms may be utilizedto secure data transiting between the edge gateway container 1512 andthe remote system 210, e.g., X.509 certificates, other types of tokens,other IOT protocols such as MQTT (MQ Telemetry Transport) or XMPP(Extensible Messaging and Presence Protocol), and the like. The edgegateway container 1512 may then transmit the data to the remote system.

As mentioned above, to prove authenticity when communicating in theSDCS, a physical or logical asset or user may request a digitalcertificate from a certificate authority service. FIG. 26 illustrates adetailed block diagram of a certificate authority container 1602,similar to the certificate authority container 1028, as shown in FIG. 20. The certificate authority container 1602 may include a certificategeneration service 1604 and a certificate verification service 1606.

The certificate generation service 1604 may generate the digitalcertificate for a physical or logical asset for example, upon receivinga request from the physical or logical asset. Upon receiving therequest, the certificate generation service 1604 obtains identificationinformation for the physical or logical asset and verifies the identityof the physical or logical asset based on the identificationinformation. For example, the request may include the name of thephysical or logical asset, a make and model of the physical or logicalasset, a cryptographic public key associated with a cryptographicprivate key owned by the physical or logical asset, or any othersuitable identification information. The certificate generation service1604 may verify the identity of the physical or logical asset by forexample, comparing the identification information obtained from thephysical or logical asset to identification information for the physicalor logical asset obtained from other sources. If the certificategeneration service 1604 is unable to verify the identity of the physicalor logical asset, the certificate generation service 1604 does notgenerate a certificate for the physical or logical asset.

On the other hand, if the certificate generation service 1604 is able toverify the identity of the physical or logical asset, the certificategeneration service 1604 generates a certificate for the physical orlogical asset that may include a cryptographic public key or otheridentifier for the physical or logical asset, an identifier for thecertificate authority service 1602 such as a cryptographic public key,and a digital signature for the certificate authority service 1602 toprove that the certificate has been generated by the certificateauthority service 1602. The certificate generation service 1604 providesthe certificate to the physical or logical asset which may use thecertificate for authentication purposes when communicating with othernodes or services within the SDCS. In some implementations, the otherservices may encrypt communications with the physical or logical assetusing the cryptographic public key for the physical or logical assetincluded in the certificate.

Also in some implementations, a user within the SDCS may request adigital certificate from the certificate generation service 1604, suchas a plant operator, a configuration engineer, and/or other personnelassociated with the industrial process plant 10. When the user requeststhe digital certificate, the user may provide identificationinformation, such as the user's name, address, phone number, role withinthe industrial process plant 10, a username and password, etc. Thecertificate generation service 1604 may verify the identity of the userby for example, comparing the identification information obtained fromthe user to identification information for the user obtained from othersources.

If the certificate generation service 1604 is unable to verify the user,the certificate generation service 1604 does not generate a certificatefor the user. On the other hand, if the certificate generation service1604 is able to verify the user, the certificate generation service 1604generates and provides a digital certificate to the user. In thismanner, the user may provide the digital certificate to access nodes orservices within the SDCS and does not have to enter login information.In some implementations, the certificate generation service 1604 mayinclude authorization information for the user in the certificate. TheSDCS may assign the user an authorization level based on the user's rolewithin the industrial process plant 10. The certificate generationservice 1604 may then generate different types of certificates fordifferent authorization levels and/or roles within the industrialprocess plant 10. In this manner, nodes or services which the userattempts to access may determine the user's authorization level and/orrole within the industrial process plant 10 based on the type ofcertificate that the user provides.

When a physical or logical asset or user attempts to access a node orservice in the SDCS, the node or service may provide a request to thecertificate verification service 1606 to authenticate the physical orlogical asset or user. More specifically, the physical or logical assetor user may provide a certificate to the node or service which mayforward the certificate to the certificate verification service 1606. Insome implementations, the certificate verification service 1606 analyzesthe identifier for the certificate authority service included in thecertificate, and the digital signature for the certificate authorityservice included in the certificate to determine whether the certificatehas been generated by the certificate authority service. For example,the certificate verification service 1606 may determine whether thecertificate authority cryptographic public key included in thecertificate matches the cryptographic public key for the certificateauthority. Additionally, the certificate verification service 1606 maydetermine whether the digital signature proves that the entitygenerating the certificate owns the cryptographic private key associatedwith the cryptographic public key. If both of these are true thecertificate verification service 1606 may determine that the certificatehas been generated by the certificate authority service.

Then the certificate verification service 1606 may provide an indicationto the node or service that the physical or logical asset or user hasbeen authenticated. Additionally or alternatively, when the certificateincludes an indication of the authorization level of the user, thecertificate verification service 1606 may provide an indication of theauthorization level to the node or service.

FIG. 27 illustrates example authentication and authorization serviceswhich may be included in nodes or services of the SDCS, such as acontrol container and an operator workstation container (e.g., a virtualworkstation). As shown in FIG. 27 , a control container 1702 includes afirst authentication service 1704, and an operator workstation container1706 includes a second authentication service 1708 and an authorizationservice 1710.

The control container 1702 may receive a request for access from aphysical or logical asset, where the request includes a certificate.Accordingly, the first authentication service 1704 may authenticate thephysical or logical asset using the certificate. In someimplementations, the first authentication service 1704 may provide thecertificate to a certificate authority service, such as the certificateauthority service 1602 as shown in FIG. 26 to authenticate the physicalor logical asset. In any event, upon authenticating the physical orlogical asset, the first authentication service 1704 may provide accessto the control container 1702. Otherwise, the first authenticationservice 1704 may deny access to the control container 1702.

The operator workstation container 1706 may receive a request for accessfrom a user, where the request includes a certificate. Accordingly, thesecond authentication service 1708 may authenticate the user using thecertificate. In some implementations, the second authentication service1708 may provide the certificate to a certificate authority service,such as the certificate authority service 1602 as shown in FIG. 26 toauthenticate the user. In any event, upon authenticating the user, thefirst authentication service 1704 may provide an indication to theoperator workstation container 1706 that the user has beenauthenticated.

The authorization service 1710 then determines whether the user isauthorized to access the operator workstation container 1706 based onthe authorization level of the user. If the user has an authorizationlevel that meets or exceeds a minimum authorization level for accessingthe operator workstation container 1706, the authorization service 1710determines that the user is authorized to access the operatorworkstation container 1706. Otherwise, the authorization service 1710may deny access to the operator workstation container 1706.

In some implementations, the authorization level of the user is includedin the certificate. Different types of certificates for differentauthorization levels and/or roles within the industrial process plant10. Accordingly, the authorization service 1710 may determine theauthorization level for the user based on the certificate. In otherimplementations, the authorization service 1710 obtains pre-storedauthorization levels for users from a logical storage resource anddetermines the authorization level for the user based on the pre-storedauthorization levels. In some implementations, the user may have partialaccess to the operator workstation container 1706 based on theauthorization level. Accordingly, the operator workstation container1706 may provide the user with access to some portions of the operatorworkstation container 1706 and prevent the user from accessing otherportions of the operator workstation container 1706.

In addition to encrypting network communications in the SDCS, the SDCSencrypts logical storage resources. FIG. 28 illustrates a block diagramof an example storage service 1802 that includes an encryption service1804 and an authentication service 1806.

When the storage service 1802 stores logical storage resources in theSDCS, the encryption service 1804 encrypts the data included in thelogical storage resources. Then when a physical or logical asset or userattempts to access a logical storage resource, the authenticationservice 1806 authenticates the physical or logical asset or user. Forexample, the authentication service 1806 may authenticate the physicalor logical asset or user based on a certificate for the physical orlogical asset or user issued by a certificate authority. If theauthentication service 1806 is able to authenticate the physical orlogical asset or user, the storage service 1802 may decrypt the dataincluded in the logical storage resource and provide the decryptedlogical storage resource to the physical or logical asset or user.Otherwise, the storage service 1802 does not decrypt the data for thephysical or logical asset or user.

FIG. 29 illustrates a flow diagram representing an example method 1900of securing a process control system of a process plant. The method maybe executed by a software defined networking service, a securitycontainer, or any suitable combination of these.

At block 1902, a software defined networking service generates asecurity service configured to execute via a container on a compute nodewithin the SDCS. For example, the security service may include a virtualrouter, a virtual firewall, a virtual switch, a virtual interface, avirtual data diode, a packet inspection service, an access controlservice, an authorization service, an authentication service, anencryption service, a certificate authority service, a key managementservice, or any other suitable service related to security.

Then at block 1904, the software defined networking service instantiatesan instance of the security container to operate with a controlcontainer. The instance of the security container may be a primaryinstance. The software defined networking service may also instantiate Nredundant instances of the security container for example, to simulateoperation with the control container without actually controlling accessto or data flow from the control container. In some implementations, thesoftware defined networking service nests the security container withinthe control container. In additional or alternative implementations, thesoftware defined networking service pins the security container to thesame compute node as the compute node on which the control containerexecutes. In other implementations, the security container is astand-alone container assigned to the control container.

At block 1906, the software defined networking service assigns securityconditions to the security container in accordance with the controlcontainer. For example, a control configuration service may obtain acontrol configuration from a control configuration storage resource andprovide the control configuration to the control container. The controlconfiguration storage resource may also include a set of customizedfirewall rules for the control container. The software definednetworking service may obtain the set of customized firewall rules forthe control container from the control configuration service, and mayassign the set of customized firewall rules to the security container assecurity conditions. The software defined networking service may alsoassign other security conditions in accordance with the controlcontainer such as authenticating physical or logical assets or usersattempting to access the control container, requiring users to have anauthorization level which exceeds or meets a minimum thresholdauthorization level, preventing access from remote systems external tothe process plant 10, or prevent incoming data from remote systemsexternal to the process plant 10.

In some implementations, the software defined networking service mayassign alternative or additional security conditions to the securitycontainer to update the contents of the security container. For example,at a first point in time, the software defined networking service mayassign a first set of security rules to the security container. Then, ata later point in time, the software defined networking service mayobtain an updated control configuration for the control container. Thesoftware defined networking service may also obtain updated firewallrules for the control container due to the change in the controlconfiguration and may assign the updated firewall rules to the securitycontainer as security conditions.

At block 1908, the security container controls access to and/or dataflow from the control container based on the security conditionsassigned to the security container. For example, the security containermay prevent nodes or services which are not included in a whitelist oraccept list from communicating with the control container.

FIG. 30 illustrates a flow diagram representing an example method 2000for role-based authorization in an SDCS. The method may be executed by asecurity container, or an authorization service.

At block 2002, a security service executing via a container on a computenode within the SDCS obtains a request from a user to access anotherservice or node within the SDCS, such as a control container. In someimplementations, the security service may obtain the request from aphysical or logical asset of the process plant 10 which is controlled bythe user. Also in some implementations, the request may include acertificate provided by the user for verifying the authenticity of theuser and including authorization information for the user.

At block 2004, the security service determines an authorization level ofthe user. For example, the authorization level of the user may beincluded in the certificate. Different types of certificates mayindicate different authorization levels and/or roles within theindustrial process plant 10. Accordingly, the security service maydetermine the authorization level for the user based on the certificate.In other implementations, the security service obtains pre-storedauthorization levels for users from a logical storage resource anddetermines the authorization level for the physical or logical assetbased on the pre-stored authorization levels.

At block 2006, the security service determines whether the user isauthorized to access the other service or node based on theauthorization level. For example, if the user has an authorization levelthat meets or exceeds a minimum authorization level for accessing theother service or node within the SDCS, the security service determinesthat the user is authorized to access the other service or node.Accordingly, the security service provides the user with access to theother service or node, such as the control container (block 2008).Otherwise, the security service may deny access to the other service ornode (block 2010).

FIG. 31 illustrates a flow diagram representing an example method 2100for generating a digital certificate by a certificate authority servicefor authenticating a physical or logical asset of the process plant 10.The method may be executed by a certificate authority service.

At block 2102, the certificate authority service obtains a request for acertificate from a physical or logical asset of the process plant 10.Upon receiving the request, the certificate authority service obtainsidentification information for the physical or logical asset andverifies the identity of the physical or logical asset based on theidentification information (block 2104). For example, the request mayinclude the name of the physical or logical asset, a make and model ofthe physical or logical asset, a cryptographic public key associatedwith a cryptographic private key owned by the physical or logical asset,or any other suitable identification information. The certificateauthority service may verify the identity of the physical or logicalasset by for example, comparing the identification information obtainedfrom the physical or logical asset to identification information for thephysical or logical asset obtained from other sources. If thecertificate authority service is unable to verify the identity of thephysical or logical asset, the certificate authority service does notgenerate a certificate for the physical or logical asset.

On the other hand, if the certificate authority service is able toverify the identity of the physical or logical asset, the certificateauthority service generates a certificate for the physical or logicalasset that may include a cryptographic public key or other identifierfor the physical or logical asset, an identifier for the certificateauthority service such as a cryptographic public key, and a digitalsignature for the certificate authority service to prove that thecertificate has been generated by the certificate authority service(block 2106). The certificate authority service provides the certificateto the physical or logical asset which may use the certificate forauthentication purposes when communicating with other nodes or serviceswithin the SDCS (block 2108). In some implementations, the otherservices may encrypt communications with the physical or logical assetusing the cryptographic public key for the physical or logical assetincluded in the certificate.

FIG. 32 illustrates a flow diagram representing an example method 2200for authenticating a physical or logical asset of the process plant 10.The method may be executed by a security service, an authenticationservice, or any suitable combination of these.

At block 2202, a security service executing via a container on a computenode within the SDCS obtains a request to access another service or nodewithin the SDCS from a physical or logical asset. The request mayinclude a certificate provided by the physical or logical asset forverifying the authenticity of the physical or logical asset.

At block 2204, an authentication service executing via a container on acompute node within the SDCS verifies the authenticity of the physicalor logical asset based on the certificate. For example, theauthentication service may analyze an identifier for the certificateauthority service included in the certificate, and the digital signaturefor the certificate authority service included in the certificate todetermine whether the certificate has been generated by the certificateauthority service. In other implementations, the authentication serviceprovides the certificate to the certificate authority service to verifythe authenticity of the physical or logical asset.

If the authentication service is able to verify the authenticity of thephysical or logical asset or user (block 2208), the security service mayprovide access to the other service or node. On the other hand, if theauthentication service is unable to verify the authenticity of thephysical or logical asset, the security service may deny access to theother service or node (block 2210).

The SDCS may also include a discovery service that executes via acontainer on a compute node of the SDCS. The discovery service stores arecord of the identity, capabilities, and/or location of each physicalor logical asset in the process plant 10 which may be utilized duringrun-time of the process plant 10 to control at least a portion of theindustrial process, such as field devices, controllers, process controldevices, I/O devices, compute nodes, containers, services (e.g., controlservices), microservices, etc.

In some implementations, the discovery service may store the record in adiscovered item data store. The SDCS may include multiple instances ofthe discovered item data store stored across multiple compute nodes forredundancy/fault tolerance. In other implementations, an instance of thediscovered item data store may be stored on each compute node within theSDCS for ease and speed of access.

Also in some implementations, the discovery service may provide therecord or at least a portion thereof to an I/O server service forcommissioning the physical or logical assets. For example, when aphysical or logical asset joins a network 22, 25, 30, 32, 35, 42-58 inthe process plant 10, the physical or logical asset announces itspresence. The announcement may include parameters such as identificationinformation for the physical or logical asset and location informationfor the physical or logical asset, such as a network address forcommunicating with the physical or logical asset. The discovery serviceor any other suitable service may obtain the announcement and transmitthe identification information and location information for the physicalor logical asset to an I/O server service for automaticallycommissioning the physical or logical asset using the identificationinformation and the location information.

FIG. 33 illustrates a block diagram of example containers, services,and/or subsystems which are related to discovery. As shown in FIG. 33 ,the SDCS includes a container executing a discovery service 2302. Whilethe discovery service 2302 is shown in FIG. 33 executes within acontainer (a discovery container), in other implementations thediscovery service 2302 may not be containerized. Also in someimplementations, the SDCS may include multiple instances of thediscovery service 2302 in multiple containers for redundancy. In someimplementations, the discovery service 2302 may be deployed by the SDnetworking service 220 or nested within the SD networking service 220 ofFIG. 2 .

The SDCS also include a discovered item data store 2304 which is alogical storage resource that stores a record of each discoveredphysical or logical asset in the process plant 10. Upon discovering aphysical or logical asset, the discovery service 2302 may store therecord of the physical or logical asset in the discovered item datastore 2304.

When a new physical or logical asset is added to a network 22, 25, 30,32, 35, 42-58 in the process plant 10 (also referred to herein as a“process plant network”), the new physical or logical asset may announceits presence by for example, broadcasting its network address to nodesor services connected to the process plant network 22, 25, 30, 32, 35,42-58. In other implementations, the new physical or logical asset mayannounce its presence by for example, responding to a multicastannouncement from a particular node or service connected to the processplant network 22, 25, 30, 32, 35, 42-58. In yet other implementations,the new physical or logical asset may announce its network address to areserved point-to-point network address, or a multicast address. The newphysical or logical asset may announce its network address once,periodically, upon request, or in any suitable manner.

A physical asset in the process plant 10 may be a physical hardwaredevice configured to control at least a portion of the industrialprocess during run-time of the process plant 10, such as a field device,controller, process control device, I/O device, compute node, etc. Thephysical hardware device may include a respective set of processorand/or processor core resources and memory resources. A logical asset inthe process plant 10 may be software configured to control at least aportion of the industrial process during run-time of the process plant10, such as a container, service such as a control service,microservice, etc. In some implementations, a logical asset may executewithin a physical asset.

The discovery service 2302 may obtain the announcement and determine theidentity of the physical or logical asset based on parameters of thephysical or logical asset which are included in the announcement. Theannouncement may include a YAML file which defines each physical orlogical asset. The YAML file may be generated manually or automaticallyfor example, when the SDCS has previously been commissioned/configured.In other implementations, the announcement includes a different type offile such as a JSON file, an XML file, or any other data serializationfile.

More specifically, the announcement may include an asset tag of thephysical or logical asset, a media access control (MAC) address of thephysical or logical asset, a network address of the physical or logicalasset, a cryptographic key for the physical or logical asset, a serialnumber for the physical or logical asset, and/or a name of a service orsubsystem associated with the physical or logical asset. While some ofthe parameters may uniquely identify the physical or logical asset suchas the MAC address, other parameters such as the serial number maycorrespond to multiple assets having the same make and model.Accordingly, the discovery service 2302 may identify the physical orlogical asset based on any suitable combination of the parametersincluded in the announcement. For example, two physical or logicalassets may be valves having the same serial number which is a partnumber. The two valves may be identified based on a combination of theserial number and cryptographic keys for the two valves.

The asset tag may be a name or number assigned to/configured into thephysical or logical asset and may uniquely identify the particularphysical or logical asset within the SDCS or may more generally identifythe asset type. For example, if the physical asset is a control valve,the asset tag may be “CTRL-VALVE” and the process plant 10 may includeseveral control valves having the same asset tag. In otherimplementations, the asset tag may be “CTRL-VALVE-01” to uniquelyidentify that particular control valve, and other control valves may be“CTRL-VALVE-02,” “CTRL-VALVE-03,” etc. In another example, if thelogical asset is a control service, the asset tag may be “CTRL-SERV” andthe process plant 10 may include several control services having thesame asset tag. In other implementations, the asset tag may be“CTRL-SERV-01” to uniquely identify that particular control service, andother control services may be “CTRL-SERV-02,” “CTRL-SERV-03,” etc.

The MAC address may be the address of the network card operating withthe physical or logical asset. The MAC address may uniquely identifyphysical assets. However, for logical assets, the MAC address may be thesame for services operating on the same compute nodes and the MACaddress may change when the service operates on a different computenode. Accordingly, in some implementations, the MAC address may not beused to identify a logical asset or the MAC address may be used incombination with other parameters to identify the logical asset.

The network address may be an IP address or other identifier for thephysical or logical asset within the process plant network 22, 25, 30,32, 35, 42-58. The serial number may be a manufacturer assigned numberindicating the make and model of a physical asset, such as a partnumber.

In some implementations, the physical or logical asset may be assignedan asymmetric key pair include a cryptographic private key and acryptographic public key. The asymmetric key pair may be assigned by auser or the manufacturer. Then the physical or logical asset may storethe cryptographic private key without sharing it with any other nodes orservices. The physical or logical asset may share the cryptographicpublic key for example with the discovery service 2302, and thediscovery service 2302 may store a record indicating that thecryptographic public key corresponds to the particular asset.

Then when the physical or logical asset needs to be authenticated, thephysical or logical asset provides the cryptographic public key to anauthentication service. As shown in more detail below with reference toFIG. 34 , the authentication service may be nested within the discoveryservice. In other implementations, the authentication service isprovided within another container of the SDCS that communicates with thediscovery service. The authentication service retrieves the record fromthe discovered item data store 2304 to determine whether the providedcryptographic public key for the physical or logical asset matches withthe cryptographic public key included in the discovered item data store2304. The physical or logical asset also provides a digital signature tothe authentication service to prove that the physical or logical assetis in possession of the cryptographic private key corresponding to thecryptographic public key. If the authentication service determines thatthe provided cryptographic public key for the physical or logical assetmatches with the cryptographic public key included in the discovereditem data store 2304 and the digital signature proves that the physicalor logical asset is in possession of the cryptographic private keycorresponding to the cryptographic public key, the authenticationservice authenticates the physical or logical asset.

In other implementations, the physical or logical asset may be assigneda pre-shared key (PSK) that the physical or logical asset shares withthe discovery service 2302. The discovery service 2302 may store the PSKin association with the physical or logical asset in the discovered itemdata store 2304. Then when the physical or logical asset communicateswith other nodes or services, the physical or logical asset may encryptthe communication using the PSK. The discovery service 2302 may thenretrieve the PSK stored in association with the physical or logicalasset from the discovered item data store 2304, decrypt thecommunication, and forward the decrypted communication to the other nodeor service. In this manner, the physical or logical asset isauthenticated, because it used the PSK which was only shared between thephysical or logical asset and the discovery service 2302 to encrypt thecommunication.

In addition to determining the identity of the physical or logicalasset, the discovery service 2302 may determine the location of thephysical or logical asset within the SDCS. For example, the location maybe the network address for the physical or logical asset, such as an IPaddress or other identifier for the physical or logical asset within theprocess plant network 22, 25, 30, 32, 35, 42-58. In addition to thenetwork location, the location may also include the physical location ofthe physical or logical asset such as a particular section of theprocess plant 10 where a physical asset is located or a physicallocation of a compute node that stores and/or executes a logical asset.The discovery service 2302 determines the location of the physical orlogical asset based on information included in the announcement, such asa network address or a description of a physical location.

Moreover, the discovery service 2302 may identify a set of capabilitiesof the physical or logical asset, such as process parameters provided bythe physical or logical asset (e.g., a valve opening percentage, a tankfill percentage, etc.), services provided by the physical or logicalasset (e.g., authentication, authorization, control, analytics, storage,etc.), and/or services configured to communicate with the physical orlogical asset. For example, the physical or logical asset may include atleast some of the capabilities of the physical or logical asset in theannouncement as primary variables. The discovery service 2302 may alsoidentify capabilities of the physical or logical asset which are notincluded in the announcement, i.e., contextual variables. Morespecifically, the discovery service 2302 may retrieve contextualvariables from a context dictionary service that infers a set ofcapabilities from a type of physical or logical asset. The discoveryservice 2302 may provide the identity of the physical or logical assetto the context dictionary service, and the context dictionary servicemay determine the type of physical or logical asset based on theidentity. Then the context dictionary service provides the set ofcapabilities inferred from the type of physical or logical asset to thediscovery service 2302. The context dictionary service is described inmore detail below with reference to FIGS. 34-36 .

In some implementations, upon identifying a physical or logical asset,the discovery service 2302 notifies a process control configurationservice of the newly discovered physical or logical asset forcommissioning and/or inclusion in the SDCS topology. A user may thenaccept or reject the inclusion of the newly discovered physical orlogical asset in the SDCS topology at the process control configurationservice. Also in some implementations, newly discovered physical orlogical assets may automatically be included in the SDCS topology by theprocess control configuration service.

In any event, the discovery service 2302 stores a record of the physicalor logical asset including the identity of the physical or logicalasset, the location of the physical or logical asset, and/or the set ofcapabilities of the physical or logical asset in the discovered itemdata store 2304. In this manner, the discovered item data store 2304maintains a record of each of the physical or logical assets within theprocess plant 10. Other physical or logical assets may request certainprocess parameters or services, and the discovery service 2302 mayidentify the physical or logical asset that provides the requestedprocess parameters or services to the requesting physical or logicalasset. The discovery service 2302 may also provide location informationfor the physical or logical asset that provides the requested processparameters or services so that the requesting physical or logical assetmay obtain the requested process parameters or services. Furthermore,the discovery service 2302 may provide a record of the physical orlogical asset to an I/O server or an I/O device for commissioning thephysical or logical asset, such as when the physical or logical asset isa field device.

If the discovered item data store 2304 is corrupted or destroyed, thediscovery service 2302 may automatically broadcast, via the processplant network 22, 25, 30, 32, 35, 42-58, a request for each of thephysical or logical assets within the process plant 10 to announce theirpresence. Then the discovery service 2302 may quickly recover the recordof each of the physical or logical assets within the process plant 10without manual input and without having to interrupt operation of theprocess plant 10.

In some implementations, the discovery request from the discoveryservice 2302 for physical or logical assets to announce their presencemay be forwarded amongst the physical or logical assets that haveintermediaries. For example, the remote I/O asset 78 of FIG. 1 mayforward the discovery request to each of the field devices 70communicatively connected to the remote I/O asset 78. The field devices70 may then respond to the discovery request by announcing theirpresence to the remote I/O asset 78 which forwards the announcements tothe discovery service 2302.

FIG. 34 illustrates a detailed block diagram of an example discoverycontainer 2402 configured to execute a discovery service, similar to thediscovery service 2302 of FIG. 33 . The discovery container 2402includes a discovery service 2404 which may execute an authenticationservice 2406, a context dictionary container 2408 which may include acontext 2410, and a location service 2412.

The discovery service 2404 may obtain announcements of physical orlogical assets that join the process plant network 22, 25, 30, 32, 35,42-58. An announcement may include an asset tag of the physical orlogical asset, a MAC address of the physical or logical asset, a networkaddress of the physical or logical asset, a cryptographic key for thephysical or logical asset, a serial number for the physical or logicalasset, and/or a name of a service or subsystem associated with thephysical or logical asset. The discovery service 2404 may determine theidentity of the physical or logical asset based on these parametersincluded in the announcement.

The discovery service 2404 may also determine the location of thephysical or logical asset within the SDCS. For example, the location maybe the network address for the physical or logical asset, such as an IPaddress or other identifier for the physical or logical asset within theprocess plant network 22, 25, 30, 32, 35, 42-58. In addition to thenetwork location, the location may also include the physical location ofthe physical or logical asset such as a particular section of theprocess plant 10 where a physical asset is located or a physicallocation of a compute node that stores and/or executes a logical asset.The discovery service 2404 determines the location of the physical orlogical asset based on information included in the announcement, such asa network address or a description of a physical location.

Moreover, the discovery service 2404 may identify a set of capabilitiesof the physical or logical asset, such as process parameters provided bythe physical or logical asset (e.g., a valve opening percentage, a tankfill percentage, etc.), services provided by the physical or logicalasset (e.g., authentication, authorization, etc.), and/or servicesconfigured to communicate with the physical or logical asset. Forexample, the physical or logical asset may include at least some of thecapabilities of the physical or logical asset in the announcement. Thediscovery service 2404 may also automatically infer capabilities of thephysical or logical asset which are not included in the announcement.For example, when the physical or logical asset is a field device, theannouncement may include primary variables retrievable from the fielddevice, such as a mass flow rate of a fluid. The discovery service 2404may also automatically infer contextual variables for the field device,such as a speed, a velocity, and/or density of the fluid. For example,when the physical or logical asset is a legacy device, the legacy devicemay not be configured to announce certain capabilities. Accordingly, thelegacy device announces primary variables, and the discovery service2404 automatically infers remaining capabilities or contextual variableswhich are not included in the announcement.

In another example, when the physical or logical asset is a fielddevice, the field device may announce primary variables in an eventdriven data layer (EDDL), such as a valve position and an air pressurein the valve. The discovery service 2404 may automatically infercontextual variables for the field device, such as valve health metrics,valve travel metrics, etc.

More specifically, the discovery service 2404 may retrieve thesecapabilities from a context dictionary container 2408. The contextdictionary container 2408 includes a context 2410 that infers a set ofcapabilities from a type of physical or logical asset. For each type ofphysical or logical asset, the context 2410 may include a list of eachof the process parameters provided by the physical or logical asset,each of the services performed by the physical or logical asset, andeach of the services within the SDCS that call on the physical orlogical asset to communicate information.

The discovery service 2404 may provide the identity of the physical orlogical asset to the context dictionary container 2408, and the contextdictionary container 2408 may determine the type of physical or logicalasset based on the identity. For example, the context dictionarycontainer 2408 may store a set of rules for determining the type ofphysical or logical asset based on the identity of the physical orlogical asset. More specifically, the context dictionary container 2408may analyze the asset tag, serial number, or name of a service orsubsystem associated with the physical or logical asset to determine thetype of physical or logical asset. For example, if the asset tag for thephysical or logical asset is “CTRL-VALVE-01,” the context dictionarycontainer 2408 may determine that the type of physical or logical assetis a control valve. The context dictionary container 2408 may store alist of physical or logical asset types and asset tags, serial numbers,names or portions thereof that correspond to each physical or logicalasset type.

Then the context dictionary container 2408 automatically infers the setof capabilities from the type of physical or logical asset using thecontext 2410 and provides the set of capabilities inferred from the typeof physical or logical asset to the discovery service 2404. Thediscovery service 2404 then stores a record of the physical or logicalasset including the identity of the physical or logical asset, thelocation of the physical or logical asset, and/or the set ofcapabilities of the physical or logical asset in a discovered item datastore.

When a physical or logical asset requests access to a node or servicewithin the SDCS, the authentication service 2406 within the discoveryservice 2404 authenticates the physical or logical asset. For example,the authentication service 2406 authenticates the physical or logicalasset by retrieving a cryptographic public key for the physical orlogical asset included in the discovered item data store. Theauthentication service 2406 may then compare the retrieved cryptographicpublic key for the physical or logical asset to the cryptographic publickey provided by the physical or logical asset in the request for accessto the node or service to determine if there is a match. Theauthentication service 2406 may also analyze a digital signatureprovided by the physical or logical asset in the request for access tothe node or service to determine whether the digital signature provesthat the physical or logical asset is in possession of the cryptographicprivate key corresponding to the cryptographic public key. If both ofthese conditions are met, the authentication service 2406 mayauthenticate the physical or logical asset.

In another example, the authentication service 2406 authenticates thephysical or logical asset by retrieving a PSK for the physical orlogical asset from the discovered item data store. The authenticationservice 2406 may then attempt to decrypt the request for access to nodeor service using the retrieved PSK. If the authentication service 2406successfully decrypts the request, the authentication service 2406 mayauthenticate the physical or logical asset.

While the authentication service 2406 is illustrated as being nestedwithin the discovery service 2404, this is merely one exampleimplementation for ease of illustration only. In other implementations,the authentication service 2406 is not nested within the discoveryservice 2404.

The location service 2412 may receive a request for the location of aphysical or logical asset from a node or service within the SDCS. Thelocation service 2412 may then obtain a record from the discovered itemdata store of the location of the physical or logical asset. Forexample, the location may be the network address for the physical orlogical asset, such as an IP address or other identifier for thephysical or logical asset within the process plant network 22, 25, 30,32, 35, 42-58. In addition to the network location, the location mayalso include the physical location of the physical or logical asset suchas a particular section of the process plant 10 where a physical assetis located or a physical location of a compute node that stores and/orexecutes a logical asset. The location service 2412 then provideslocation information for the physical or logical asset to the node orservice that provided the request as a response to the request.

FIG. 35 illustrates a detailed block diagram of an example contextdictionary container 2502 similar to the context dictionary container2408 of FIG. 34 . As in the context dictionary container 2408, thecontext dictionary container 2502 includes a context dictionary service2504 and a context 2508. The context dictionary service 2504 furtherincludes an asset capabilities identification service 2506.

The asset capabilities identification service 2506 may determine thetype of physical or logical asset based on the identity of the physicalor logical asset. For example, the asset capabilities identificationservice 2506 may store a set of rules for determining the type ofphysical or logical asset based on the identity of the physical orlogical asset. More specifically, the asset capabilities identificationservice 2506 may analyze the asset tag, serial number, or name of aservice or subsystem associated with the physical or logical asset todetermine the type of physical or logical asset. For example, if theasset tag for the physical or logical asset is “CTRL-VALVE-01,” theasset capabilities identification service 2506 may determine that thetype of physical or logical asset is a control valve. The assetcapabilities identification service 2506 may store a list of physical orlogical asset types and asset tags, serial numbers, names or portionsthereof that correspond to each physical or logical asset type.

Additionally or alternatively, the asset capabilities identificationservice 2506 may analyze the primary variables for the physical orlogical asset included in the announcement to determine the type ofphysical or logical asset, such as the primary variables included in anEDDL. For example, if a primary variable for the physical or logicalasset is valve position, the asset capabilities identification service2506 may determine that the physical or logical asset is a valve. Inanother example, if a primary variable for the physical or logical assetis a control service, the asset capabilities identification service 2506may determine that the physical or logical asset is a control container.Some physical or logical assets may include a combination ofcapabilities, such as a valve position capability and a control servicecapability. In this case, the asset capabilities identification service2506 may determine the type of physical or logical asset based on thecombination of capabilities.

The asset capabilities identification service 2506 may then infer thecapabilities from the type of physical or logical asset using thecontext 2508. For example, for a particular physical or logical asset,the announcement may indicate that the physical or logical asset canprovide a first set of parameters related to control of the physical orlogical asset. The context 2508 may further identify additionalparameters related to maintenance of the physical or logical asset. Inanother example, the context 2508 may include mechanisms for accessingeach of the additional parameters or services, such as mechanisms foraccessing the maintenance parameters. A mechanism for accessing anadditional parameter or service may be the format and/or content of arequest to provide to the physical or logical asset to retrieve theadditional parameter or service. In another example, the mechanism maybe a reference number or identifier corresponding to the additionalparameter or service which may be used to retrieve the additionalparameter or to have the physical or logical asset perform theadditional service.

FIG. 36 illustrates a detailed block diagram of an example context 2602similar to the context 2508 of FIG. 35 . The context 2602 may include adata table 2604 that associates device types with a class contexts. Morespecifically, the data table 2604 may include device types, primaryvariables, and contextual variables. For example, when the device typeis a thermocouple, the primary variable may be temperature and thecontextual variables may include device health metrics for thethermocouple and a device tolerance indicative of the variability of thethermocouple. When the device type is a mass flow sensor, the primaryvariable may be mass flow and the contextual variables may include fluidspeed, fluid velocity, and fluid density. In another example, when thedevice type is a valve, the primary variables may include the valveposition and the air pressure in the valve. The contextual variables mayinclude valve health metrics, valve travel metrics, a mode of operationof the valve such as full stroke cycling, continuous throttling,periodic throttling, etc., and conditions in the valve such as dead bandand dead time. Additionally, the contextual variables may includeservices that the valve can perform such as a valve monitoring serviceand/or services that may utilize the primary or contextual variablesfrom the valve.

The SDCS may also include a recommender service that obtains the primaryand contextual variables for a physical or logical asset from thecontext dictionary service 2504 and/or the discovery service 2404 andrecommends features to a user during a configuration. For example, whena user configures a new valve to the SDCS, the context dictionaryservice 2504 may detect from the contextual variables for the new valvethat there is a readback value. As the user configures the new valve,the recommender service may remind that user that there is an unusedvalve position readback value that is available but unused for example,when the user attempts to commit the configuration to the processcontrol configuration service. In this manner, when the user does notknow the full capabilities of a physical or logical asset, therecommender service allows the user to learn the capabilities ofphysical or logical asset without having to read the manual for each ofthe assets configured or commissioned within the SDCS.

FIG. 37 illustrates a flow diagram representing an example method 2700for providing discovery software as a service in a process plant 10. Themethod may be executed by a discovery service.

At block 2702, the discovery service obtains an announcement indicativeof the presence of a physical or logical asset. When a new physical orlogical asset, such as a field device, process control device, computenode, containers, service, microservice, etc. is added to the processplant network 22, 25, 30, 32, 35, 42-58, the new physical or logicalasset may announce its presence by for example, broadcasting its networkaddress to nodes or services connected to the process plant network 22,25, 30, 32, 35, 42-58. In other implementations, the discovery servicemay broadcast a request to each of the physical or logical assets in theprocess plant network 22, 25, 30, 32, 35, 42-58 to announce theirpresence.

The announcement may include an identifying parameter for the physicalor logical asset such as an asset tag of the physical or logical asset,a MAC address of the physical or logical asset, a network address of thephysical or logical asset, a cryptographic key for the physical orlogical asset, a serial number for the physical or logical asset, and/ora name of a service or subsystem associated with the physical or logicalasset. The announcement may also include a network address for thephysical or logical asset or any other suitable location information forthe physical or logical asset including physical or network locationinformation. Additionally, the announcement may include capabilities ofthe physical or logical asset, such as process parameters that thephysical or logical asset is configured to provide, services that thephysical or logical asset is configured to provide, or servicesconfigured to communicate with the physical or logical asset.

At block 2704, the discovery service determines the identity of thephysical or logical asset based on the identifying parameters includedin the announcement. In some implementations, the discovery servicedetermines the identity of the physical or logical asset based on one ofthe identifying parameters which uniquely identifies the physical orlogical asset (e.g., a MAC address). In other implementations, thediscovery service determines the identity of the physical or logicalasset based on a combination of the identifying parameters. For example,the serial number may correspond to multiple assets having the same makeand model. Accordingly, the discovery service may determine the identityof the physical or logical asset based on a combination of the serialnumber and the cryptographic key for the physical or logical asset.

Then at block 2706, the discovery service stores a record of thephysical or logical asset in a discovered item data store. The recordmay include an indication of the identity of the physical or logicalasset, a set of capabilities of the physical or logical asset, and alocation of the physical or logical asset within the SDCS. The set ofcapabilities of the physical or logical asset may include thecapabilities included in the announcement. The set of capabilities mayalso include capabilities automatically inferred by the discoveryservice which are not included in the announcement.

More specifically, the discovery service may retrieve these capabilitiesfrom a context dictionary container. The context dictionary containerincludes a context that infers a set of capabilities from a type ofphysical or logical asset. For each type of physical or logical asset,the context may include a list of each of the process parametersprovided by the physical or logical asset, each of the servicesperformed by the physical or logical asset, and each of the serviceswithin the SDCS that call on the physical or logical asset tocommunicate information.

FIG. 38 illustrates a flow diagram representing an example method 2800for inferring information regarding a physical or logical asset of aprocess plant using a context dictionary. The method may be executed bya discovery service.

At block 2802, the discovery service obtains an announcement indicativeof the presence of a physical or logical asset. When a new physical orlogical asset, such as a field device, process control device, computenode, containers, service, microservice, etc. is added to the processplant network 22, 25, 30, 32, 35, 42-58, the new physical or logicalasset may announce its presence by for example, broadcasting its networkaddress to nodes or services connected to the process plant network 22,25, 30, 32, 35, 42-58. In other implementations, the discovery servicemay broadcast a request to each of the physical or logical assets in theprocess plant network 22, 25, 30, 32, 35, 42-58 to announce theirpresence.

The announcement may include an identifying parameter for the physicalor logical asset such as an asset tag of the physical or logical asset,a MAC address of the physical or logical asset, a network address of thephysical or logical asset, a cryptographic key for the physical orlogical asset, a serial number for the physical or logical asset, and/ora name of a service or subsystem associated with the physical or logicalasset. The announcement may also include a network address for thephysical or logical asset or any other suitable location information forthe physical or logical asset including physical or network locationinformation. Additionally, the announcement may include capabilities ofthe physical or logical asset, such as process parameters that thephysical or logical asset is configured to provide, services that thephysical or logical asset is configured to provide, or servicesconfigured to communicate with the physical or logical asset.

At block 2804, the discovery service obtains additional parameters orservices associated with the physical or logical asset that were notincluded as capabilities of the physical or logical asset in theannouncement. More specifically, the discovery service may retrieve theadditional parameters or services from a context dictionary container.

The context dictionary container includes a context that infers a set ofcapabilities from a type of physical or logical asset. For each type ofphysical or logical asset, the context may include a list of each of theprocess parameters provided by the physical or logical asset, each ofthe services performed by the physical or logical asset and each of theservices within the SDCS that call on the physical or logical asset tocommunicate information.

The discovery service may provide the identity of the physical orlogical asset to the context dictionary container, and the contextdictionary container may determine the type of physical or logical assetbased on the identity. For example, the context dictionary container maystore a set of rules for determining the type of physical or logicalasset based on the identity of the physical or logical asset. Morespecifically, the context dictionary container may analyze the assettag, serial number, or name of a service or subsystem associated withthe physical or logical asset to determine the type of physical orlogical asset. For example, if the asset tag for the physical or logicalasset is “CTRL-VALVE-01,” the context dictionary container may determinethat the type of physical or logical asset is a control valve. Thecontext dictionary container may store a list of physical or logicalasset types and asset tags, serial numbers, names or portions thereofthat correspond to each physical or logical asset type.

Then the context dictionary container automatically infers the set ofcapabilities from the type of physical or logical asset using thecontext and provides the set of capabilities inferred from the type ofphysical or logical asset to the discovery service. For example, for aparticular physical or logical asset, the announcement may indicate thatthe physical or logical asset can provide a first set of parametersrelated to control of the physical or logical asset. The context mayfurther identify additional parameters related to maintenance of thephysical or logical asset. In another example, the context may includemechanisms for accessing each of the additional parameters or services,such as mechanisms for accessing the maintenance parameters.

Then at block 2806, the discovery service stores a record of thephysical or logical asset in a discovered item data store. The recordmay include an indication of the identity of the physical or logicalasset, and the additional parameters or services associated with thephysical or logical asset which were not included in the announcement.The record my also include the capabilities included in theannouncement.

FIG. 39 illustrates a flow diagram representing an example method 2900for inferring a set of capabilities from each type of physical orlogical asset in a process plant and determining the capabilities of adiscovered physical or logical asset. The method may be executed by acontext dictionary service.

At block 2902, the context dictionary service stores each type ofphysical or logical asset of the process plant 10. Then for each type ofphysical or logical asset, the context dictionary service stores a setof capabilities of the type of physical or logical asset (block 2904).The set of capabilities may include parameters retrievable from the typeof physical or logical asset and services associated with the type ofphysical or logical asset, such as services performed by the physical orlogical asset or services that communicate with the physical or logicalasset. The context dictionary service may infer correspondingcapabilities for each type of physical or logical asset using a context.

Then at block 2906, the context dictionary service obtains a request forthe capabilities of a particular physical or logical asset. The requestmay include identification information for the physical or logicalasset, such as an asset tag, a MAC address of the physical or logicalasset, a network address of the physical or logical asset, acryptographic key for the physical or logical asset, a serial number forthe physical or logical asset, and/or a name of a service or subsystemassociated with the physical or logical asset. The request may beprovided by the discovery service. In other scenarios, the request maybe provided by a node or service within the SDCS attempting to locate aparticular physical or logical asset having a specific capability. Inyet other scenarios, the request may be provided by a node or servicewithin the SDCS interested in accessing process parameters or servicesprovided by the physical or logical asset.

In response to the request, the context dictionary service determinesthe type of physical or logical asset based on the identificationinformation for the physical or logical asset (block G2908). Forexample, the context dictionary service may store a set of rules fordetermining the type of physical or logical asset based on the identityof the physical or logical asset. More specifically, the contextdictionary service may analyze the asset tag, serial number, or name ofa service or subsystem associated with the physical or logical asset todetermine the type of physical or logical asset. The context dictionaryservice may store a list of physical or logical asset types and assettags, serial numbers, names or portions thereof that correspond to eachphysical or logical asset type.

Then at block 2910, the context dictionary service may infer the set ofcapabilities from the type of physical or logical asset using thecontext. The context dictionary service may then provide a response tothe request that includes the set of capabilities corresponding to thetype of physical or logical asset.

In some implementations, the context dictionary service executes via afirst container nested in a second container for a discovery service. Inother implementations, the context dictionary service and discoveryservice do not execute in nested containers.

FIG. 40 illustrates a flow diagram representing an example method 3000for fault recovery of discovered items in a process plant 10. The methodmay be executed by a discovery service.

At block 3002, a fault is detected in a discovered item data store. Forexample, the discovered item data store may be corrupted, destroyed,missing records of physical or logical asset. Additionally, thediscovered item data store may have been reset for example, due to apower outage. In response to detecting the fault, the discovery servicebroadcasts a request to physical or logical assets within the processplant 10 to announce their presence (block 3004).

In response to the request, the discovery service receives announcementsfrom the physical or logical assets in the process plant 10 (block3006). Each announcement may include an identifying parameter for thephysical or logical asset such as an asset tag of the physical orlogical asset, a MAC address of the physical or logical asset, a networkaddress of the physical or logical asset, a cryptographic key for thephysical or logical asset, a serial number for the physical or logicalasset, and/or a name of a service or subsystem associated with thephysical or logical asset. The announcement may also include a networkaddress for the physical or logical asset or any other suitable locationinformation for the physical or logical asset including physical ornetwork location information. Additionally, the announcement may includecapabilities of the physical or logical asset, such as processparameters that the physical or logical asset is configured to provide,services that the physical or logical asset is configured to provide, orservices configured to communicate with the physical or logical asset.

Then at block 3008, the discovery service stores a recovered record ofthe physical or logical assets in a discovered item data store. For eachphysical or logical asset, the recovered record may include anindication of the identity of the physical or logical asset, a set ofcapabilities of the physical or logical asset, and a location of thephysical or logical asset within the SDCS. The set of capabilities ofthe physical or logical asset may include the capabilities included inthe announcement. The set of capabilities may also include capabilitiesautomatically inferred by the discovery service which are not includedin the announcement. In this manner, the record of the physical orlogical assets is automatically received without requiring manual input.

As mentioned above, the discovery service may assist in thecommissioning of physical or logical assets within the process plant 10,so that the SDCS may automatically commission physical or logical assetswithout manual input. While the SDCS and more specifically, an I/Oserver service, may commission physical or logical assets in response tothe discovery service discovering the physical or logical assets, thisis merely one example implementation. In other implementations, otherservices may identify physical or logical assets within the processplant 10 such as a process control configuration service.

FIG. 41 illustrates a flow diagram representing an example method 3100for automatically commissioning an SDCS. The method may be executed by adiscovery service, a process control configuration service, an I/Oserver service, or any suitable combination of these.

At block 3102, an announcement indicative of the presence of a physicalor logical asset is obtained. When a new physical or logical asset, suchas a field device, process control device, compute node, containers,service, microservice, etc. is added to the process plant network 22,25, 30, 32, 35, 42-58, the new physical or logical asset may announceits presence by for example, broadcasting its network address to nodesor services connected to the process plant network 22, 25, 30, 32, 35,42-58. In other implementations, the discovery service may broadcast arequest to each of the physical or logical assets in the process plantnetwork 22, 25, 30, 32, 35, 42-58 to announce their presence.

The announcement may include identifying parameters for the physical orlogical asset such as an asset tag of the physical or logical asset, aMAC address of the physical or logical asset, a cryptographic key forthe physical or logical asset, a serial number for the physical orlogical asset, and/or a name of a service or subsystem associated withthe physical or logical asset. The announcement may also include anetwork address for the physical or logical asset or any other suitablelocation information for the physical or logical asset includingphysical or network location information. For example, the locationinformation may also include the physical location of the physical orlogical asset such as a particular section of the process plant 10 wherea physical asset is located or a physical location of a compute nodethat stores and/or executes a logical asset.

At block 3104, the identifying parameters and location parameters forthe physical or logical asset are transmitted to an I/O server service,such as the I/O server service 242 of FIG. 2 . The discovery service orprocess control configuration service may transmit each of theidentifying parameters for the physical or logical asset included in theannouncement to the I/O server service or may transmit a subset of theidentifying parameters included in the announcement which may be used touniquely identify the physical or logical asset.

Additionally, the discovery service or process control configurationservice may transmit location information to the I/O server service sothat the I/O server service may communicate with the physical or logicalasset.

At block 3106, the I/O server service may automatically commission thephysical or logical asset based on the identification information andthe location information. Commissioning may include actions oractivities, such as verifying or confirming the identity of the physicalor logical asset, generating tags that unique identify the physical orlogical asset within the process plant 10, and performing tests toensure that the I/O server service is in communication within thephysical or logical asset.

The I/O server service may generate a tag for uniquely identifying thephysical or logical asset based on the identifying parameters for thephysical or logical asset. For example, as mentioned above, theidentifying parameters for the physical or logical asset may include anasset tag such as “CTRL-VALVE,” and the process plant 10 may includeseveral control valves having the same asset tag. The I/O server servicemay generate the tag for the valve based on a combination of the assettag and the cryptographic public key for the valve. For example, if thelast four characters of the cryptographic public key for the valve are“xg4t,” the tag may be “CTRL-VALVE-xg4t.”

In other implementations, the I/O server service may generate tags forcontrol valves that include the string “CTRL-VALVE” followed by a numberwhich has not been used to identify another valve in the process plant10. If for example, there are four control valves, the tags may be“CTRL-VALVE-01,” “CTRL-VALVE-02,” “CTRL-VALVE-03,” and “CTRL-VALVE-04.”The I/O server service may determine that a physical or logical assethas not already been assigned a unique tag by comparing the identifyingparameters for the physical or logical asset to the identifyingparameters for physical or logical assets that have been assigned tags.If the identifying parameters do not match, the I/O server service mayassign a new unique tag to the physical or logical asset, such as“CTRL-VALVE-05.”

In another example, two physical or logical assets may be valves havingthe same serial number which is a part number. The two valves may beuniquely identified based on a combination of the serial number andcryptographic keys for the two valves. Accordingly, the I/O serverservice may generate the tags for each valve based on the combination ofthe serial number and cryptographic keys for each valve.

Then the I/O server service may store the tag in association with thelocation information for the physical or logical asset in a data store,which may be used as a reference for communicating with the physical orlogical asset.

To test the physical or logical asset, the I/O server service maytransmit data to the physical or logical asset or request informationfrom the physical or logical asset using the location information. Ifthe I/O server service is able to successfully communicate with thephysical or logical asset, the I/O server service may determine that thephysical or logical asset has been successfully commissioned. In someimplementations, the I/O server service may request a particularparameter from the physical or logical asset (e.g., a mass flow rate),and may generate and store signal tags for particular parameters orservices associated with the physical or logical asset. A signal tag mayinclude a combination of the tag for the physical or logical asset andan identifier of the particular parameter or service. In otherimplementations, the I/O server service does not store signal tags.

To verify or confirm the identity of the physical or logical asset, theI/O server service may for example, obtain a cryptographic public key orPSK for the physical or logical asset from the identifying parameters.The I/O server service may encrypt the request for information using thecryptographic public key or PSK, and if the I/O server service receivesa response to the request from physical or logical asset, the I/O serverservice determines that the physical or logical asset was able todecrypt the request using the cryptographic public key or PSK. As aresult, the I/O server service verifies the identity of the physical orlogical asset.

As noted above, the system orchestrator 222 controls or manages theallocation of the various logical entities, including containers, tovarious ones of the data center clusters 208 and ultimately toindividual computing devices, such as servers (and even to processors orcores of processors in a server of a data cluster 208), and may performthis assignment during the runtime operation of the control system inorder to assure operation of the control system when various physicaldevices (such as servers) fail, are taken out of service, becomeoverloaded, are running slowly, etc. This dynamic and runtime allocationis very much different than past control system architectures in whichthe physical assets or computing devices that implemented a logicalelement, such as a control module or a control routine, where specifiedby the configuration system and did not change during run-time. As such,in this new system architecture, a user may not know where a specificlogical element, such as a controller, or a container associated with acontroller, is being executed or implemented at any particular time,much less know or be able to easily determine health or performancestatistics associated with such a logical element (such as communicationbandwidth or message rates). Moreover, it will not be easy for a userobtain performance or health indicators for the physical device in whicha particular logical element is currently executing, such as latency,efficiency, load, etc., as a user will not be able to know, from theconfiguration system alone, what logical elements are currentlyoperating on any particular physical device or physical node at anygiven time.

In many cases, however, it is important that a user, such as a controlsystem operator, a maintenance person, etc., be able to view the currentoperational status of one or more logical elements of the control systemin order to view and/or diagnose the current operational status of theprocess control system or to diagnose a problem within the processcontrol system. Still further, a user may need to know what logicalelements are currently executing on a particular physical device orphysical node in order to perform servicing, updating, or othermaintenance or repair activities at or on that device or node. Stillfurther, as noted above, it may be important to easily visualize thecurrent configuration of the logical elements within the plant,including the manner in which the logical elements, e.g., thecontainers, of the process control system are nested or pinned to oneanother and/or the manner in which these logical elements are pinned toparticular hardware components.

To assist a user in viewing the current runtime operation of a controlsystem using the new system architecture described herein, avisualization service, which may be one of the services 240 of FIG. 2 ,may be provided to generate one or more system configuration and/orruntime visualizations for a user (via a user interface) to assist theuser in understanding the currently configured and operationalrelationships between the various logical and physical elements of thecontrol system as well as to view one or more performance indicators forthe logical and physical elements. In particular, a visualization (oruser interface) service 3202 is illustrated in FIG. 42 which is executedon a computer processor and which operates to interrogate or otherwisecommunicate with the orchestrator 222 as well as one or more of theorchestrator subsystems 252, 255, 258, 260 and discover, at anyparticular time, which logical elements are being hosted or executed onwhich physical devices, in additional to various health and/orperformance statistics or indices associated with those logical elementsand/or physical devices. In some cases, the visualization service 3202may additionally communicate with a configuration database 3203 toobtain logical and physical element configuration information and tocreate a configuration/runtime visualization of the control system(including both logical and physical elements) that enables a user toview information identifying the various configuration and run-timedetails of the currently configured interplay between the logicalelements (with each other) and between the logical elements and thephysical elements of the control system. In some cases, thisconfiguration interface may enable a user to change configurationdetails (such as pinning and nesting of logical and/or physicalelements) on the fly or during run-time.

FIG. 42 depicts the visualization service or utility 3202 (that executeson a computer processor) as communicating with the orchestrator 222 ofFIG. 1 as well as, if necessary, the configuration database 3203, todiscover configuration and runtime information for the various logicaland physical elements. The visualization service 3202 may subscribe toinformation from the orchestrator 222 for active visualizations, and/ormay send one or more queries to the orchestrator 222 (and theconfiguration database 3203) when generating a visualization for a uservia a user interface 3204. In any event, the visualization service 3202executes to display both logical and physical information about thecontrol system to a user via the user interface device 3204 (which maybe any type of user interface, such as a laptop, a wireless device, aphone application, a workstation, etc.) and may display control systeminformation in an interactive manner, so as to enable the user to viewconfigured, as well as the current run-time operation of the variouslogical elements within the plant, and of the physical elements to whichthese logical elements are currently assigned. In particular, thevisualization service 3202 may present one or more screens to a user viathe user interface device 3204 displaying one or more logical and/orphysical elements of the control system and may enable the user toselect any of various logical and/or physical elements of the controlsystem, as currently being implemented, to indicate more detail aboutthe configuration and/or runtime information the user wishes to see. Thevisualization service 3202 then obtains, from the orchestrator 222,runtime information for the selected logical and/or physical elementsincluding, for example, the manner in which the logical elements (e.g.,containers, such as control containers) are nested within or pinned toone another, the manner in which the logical elements are being executedin or on various physical elements, and/or one or more performanceindicators that indicates the operational health or performance of thelogical and/or physical elements as currently operating. Thevisualization service 3202 presents this information to the user in oneor more screen displays and may, in some cases, enable the user tointeract via a screen display to view other information, and todynamically change the operation of the control system in terms of howone or more of the logical elements are assigned to other logicalelements or to physical elements.

In one example, the utility 3202 may obtain configuration information,such as a configuration hierarchy, from the configuration database 3203in addition to obtaining runtime information from the orchestrator 222and may present a configuration hierarchy (including both configurationinformation and runtime assignment information) to the user to enablethe user to view various configured elements of the control system asthey are currently operating or executing within the plant or controlsystem. FIG. 43 illustrates an example configuration/runtime hierarchy3210 that may be provided to a user. In this case, the hierarchy 3210includes both physical and logical elements in a familiar structure andenables a user to drill down in the hierarchy 3210 to view moreinformation about any of the upper or higher level logical and physicalelement information to see more information about the system ascurrently configured and as currently operating during run-time. Inparticular, in the example of FIG. 43 , the hierarchy 3210 depicts bothlogical elements (including containers associated with the variouscontrol, subsystem and I/O services) and physical elements (e.g., dataclusters, compute nodes, etc.) Generally, as noted above, the softwaredefined control system, when configured, divides the physical nodes intomicro-services (containers) and then run these containers on one or moreclusters of computing nodes, some of which are chosen by theorchestrator 222 during runtime. The hierarchy 3210 of FIG. 43illustrates this configuration, as the hierarchy 3210 includes aPhysical Network element 3220 and a Control Network element 3230. ThePhysical Network element 3220 may, when expanded, details or lists, in ahierarchical manner, the physical interconnections of the physicalelements or devices associated with the software defined control system,including any of the field devices (valves, transmitters, etc.),physical I/O devices, network switches, data center clusters and theircomponents, user interfaces, historians, etc. In one example, the datacenter clusters can each include a collection of physical nodes (i.e., acollection of servers), wherein each server can be located in a specificblade of a rack of servers (which may or may not all be part of the samecluster). Moreover, each server can have one or more processors, andeach processor may have one or more cores, and all of these variouselements can be specified or illustrated under or as part of thePhysical Network element 3220. Still further, if desired, each node orrack of nodes could be associated with one or more particular powersupplies, such that a power supply may supply an entire rack, or onlycertain nodes on the rack, so that the nodes in a single rack could havepower supply redundancy. In any event, this and other physicalconfiguration information could be illustrated in the hierarchy 3210under the Physical Network element 3220.

Still further, in the example display 3210 of FIG. 43 , the ControlNetwork element 3230 includes various different physical and logicalcomponents therein, including a user interface (ProPlus station), an I/Onetwork (with tags), a wireless I/O network, and one or more computeclusters (with Compute Cluster 1, labeled with reference number 3235,shown in FIG. 43 ). Still further, the each compute cluster may havemultiple nodes 3236 associated therewith or thereunder, with one ofthese nodes 3236 being illustrated in FIG. 43 . Thus upper levelelements of the Control Network element 3230 are generally physicalelements. However, as described earlier and as illustrated in thehierarchy 3210, each node 3236 may have various logic elements (e.g.,containers) assigned thereto or associated therewith, including, forexample, controller containers 3240 which specify different configuredcontrollers (which are logical elements in the SDCS architecture),control subsystem containers such as assigned modules 3242, assigned I/Ocontainers 3244, third party containers 3246, area containers 3247,historian containers 3248, etc. The box 3250 in FIG. 43 points to somebut not all of the containers indicated in the hierarchy 3210. It willbe noted that the hierarchy 3210 of FIG. 43 illustrates both configuredhardware components and configured logical elements, includingcontainers. Still further, and importantly, the hierarchy 3210 of FIG.43 illustrates the manner in which the various containers shown thereinare nested or pinned to other containers and/or to physical elementsunder the different hierarchical layers. For example, the assignedmodule of Boiler_1 (3260) is pinned to the Controller 2 container 940(as illustrated in multiple locations in the hierarchy 3210 by thereference number 3260) and the third party container MaterialComposition is pinned to Controller 2 as indicated at the referencenumber 3262). As will also be understood, the containers listed in thehierarchy 3210 below another container are nested within the upper levelcontainer at the time of the rendering of the hierarchy 3210. Thisnesting may be a result of the pinning of the element or a result of therun-time placement of the element by the orchestrator 222. Thus, thehierarchy 3210 may be used to indicate the configured operation of thesystem (in terms of how the containers are pinned with respect to oneanother or to particular hardware elements) and the runtime operation ofthe system (in terms of how containers are nested within othercontainers and are being executed in particular hardware or physicalcomponents). Moreover, the hierarchy 3210 can indicate the currentoperational configuration of the control system in terms of logicalelements that are assignable during run-time operation, such as byillustrating the controller or the module to which a particularassignable container is currently assigned, and/or the physical elementto which a particular container is currently assigned.

Still further, the hierarchy 3210 may indicate that various containersare dynamically assignable by the user, such as via the interaction ofthe elements within the hierarchy 3210. For example, the hierarchy 3210of FIG. 43 indicates that various recipes 3270 are dynamicallyassignable containers. In some cases, the user interface application mayenable a user to reassign a container (such as a recipe or otherdynamically assignable container) by selecting the element in thehierarchy 3210 and dragging and dropping the element under or within anew logical or physical entity within the hierarchy 3210. Of course,other manners of performing a dynamic reassignment of a logical elementto another logical element or to a physical element may be used as well(e.g., drop down menus, new windows, etc.)

Thus, as illustrated in the hierarchy 3210 of FIG. 43 , control itemssuch as Areas, Units, Equipment Modules, and Modules may be associatedwith a physical control cluster. Once assigned, a control item, forexample Unit C-101, stays together as a control strategy. Because inthis example, Unit C-101 has not been pinned, it may be allocated to anyof the controller nodes (compute nodes). Unit BOILER_1, on the otherhand, has been pinned to Controller 2. If the hardware node to whichController 2 is assigned fails, then everything pinned to Controller 2will migrate (based on the actions of the orchestrator 222) to anotherserver or node with free resources. Dynamically assignable controlitems, on the other hand, may be dynamically allocated to any controllerwith free resources.

The same approach described above for control items is also used forhistory, alarms & events, batch, continuous historian, and othersubsystem containers. Subsystems are run in separate containers and maybe pinned to controller/compute nodes or they may be dynamicallyallocated. Thus, following the description above, all subsystems aretreated as containers. As a further allocation, control items from thecontrol strategies hierarchy may be assigned to the compute cluster andthen pinned or dynamically assigned to compute nodes (e.g., by using adrag and drop technique in the hierarchy 3210). Similarity, I/Ocontainers may be assigned to a compute cluster and dynamically assignedas the control items are dynamically assigned. Going further,micro-containers may run on I/O devices.

In any event, as will be understood, the visualization service 3202 maycreate the hierarchy 3210 so that the hierarchy 3210 indicates (1) thepermanently configured (non-changeable or pinned) relationships betweenphysical and logical elements and between logical elements and otherlogical elements, (2) the temporarily configured (user assignable ordynamically assignable during run-time) relationships between physicaland logical elements and between logical elements and other logicalelements, and (3) the run-time or current relationships as currentlyassigned by the orchestrator 222 during runtime between physical andlogical elements and between logical elements and other logicalelements. Thus, the hierarchy 3210 can be created to indicate therelationships between the containers and various hardware elements, suchas nodes, servers, processors, cores, racks, power supplies, etc., onwhich those containers are currently being executed and if theserelationships are pinned. Still further, the hierarchy 3210 can be usedto indicate dynamically assignable containers and may even be used ormanipulated by the user to perform reassign of dynamically assignablecontainers during runtime. In this case, the visualization service 3202,upon receiving an instruction to reassign a container to another logicaland/or physical element, will instruct the orchestrator 222 of thereassignment and the orchestrator 222 will perform the reassign of thecontainer (and any containers that are nested within or pinned to thereassigned container). Still further, the hierarchy 3210 can be createdto indicate the run-time configuration (as performed by the orchestrator222) of various logical and physical elements with respect to oneanother.

Of course, the visualization service 3202 may display relationshipsbetween logical elements (e.g., containers) and other logical elementsand/or physical elements in other manners and may also include keyperformance and diagnostic indicators to enable a user to understand thecurrent operational health or performance of the control system or anyof the various components thereof. As an example, the visualizationservice 3202 of FIG. 42 may illustrate, for a user, the currentconfiguration of each of a set of physical elements (e.g., nodes orservers of the system, such as all of the nodes of a particular computecluster) by illustrating the physical elements in conjunction with thelogical elements (containers) that are currently assigned thereto or arerunning thereon. In this case, the visualization service 3202 may alsoobtain and indicate physical element health, diagnostic and/orperformance statistics or measures computed or determined by, forexample, one or more of the utilities 252, 255, 258, 260 of FIG. 2 .FIG. 44 illustrates an example user interface or display 3300 that maybe created by the visualization service 3202 to illustrate a datacluster 3310 having three servers or nodes 3320 therein. The display3300 also illustrates a set of containers or container types for each ofthe nodes 3320 and, in this case, includes a container orchestratorservice 3330, a set of control containers 3332, a batch executivecontainer 3334, and a continuous historian container 3336 in each of thenodes 3320. While not shown in FIG. 44 , the visualization service 3202may enable a user to drill down into each of the boxes 3332 to 3336 tosee the various containers (e.g., control containers and any containersnested within or pinned to those control containers) and the subsystemcontainers 3334 and 3336 to view the logical elements currentlyexecuting on each of the respective servers 3320. Still further, thevisualization service 3202 may present, on the display 3300, a set ofperformance indictors 3340 for each of the servers, including, forexample, current CPU loading, storage utilization, network bandwidth,and core temperature. Of course, these are only a few example diagnosticor performance indicators that can be obtained and displayed for each ofthe servers or nodes 3320, and other performance and diagnosticinformation can be provided for the each of the hardware elements(servers or nodes 3320) as well or instead. Still further, thevisualization service 3202 may display or provide other performanceindicators such as a network health 3342 for the communication networkin the cluster 3310 of FIG. 44 and may indicate performance indicatorsfor logical elements such as a service container health 3344 for a batchexecutive in one of the servers 3320.

Again, the visualization service 3202 may enable a user to drill downinto any of the elements 3330, 3332, 3334 and 3336 (or other containerssuch as third party containers, etc. displayed as being associated withany of the hardware elements 3320) to view the logical elements withinthose containers that are executing on the respective server or hardwarenode and one or more performance or diagnostic indicators for any of thesub-elements. The visualization service 3202 may also indicate sub-unitsof the physical elements that execute each of the sub-units of thelogical elements, such as particular server processors or cores orblades or power supplies associated with or implementing the logicalsub-units. This tool can thus provide a user with large-grain updates ofthe system as a whole from multiple aspects, such as from a logical viewof controllers and I/O and their associated service containers, as wellas a physical view of servers and physical resource management, and canalso provide diagnostic information relating to the performance of thesoftware defined control system or any part thereof at any particulartime.

In another case, the visualization service 3202 may provide a diagram oflogical elements or containers of the system or some sub-part of thesystem, and indicate the various physical elements on which theselogical elements are currently running or executing. FIG. 45 depicts anexample display 3400 that may be used to illustrate a logical element(in this case the Controller 1 container) and the manner which variouslogical sub-elements of the Controller 1 container are distributed inhardware at the current time during the performance of the controlsystem. Thus, in the example display 3400 of FIG. 45 , the logicalController #1 is shown to include three redundant controller containers(Controller Container #1) wherein, for redundancy purposes, a first oneof the Controller Container #1 instances is being executed on a PhysicalServer 3430 and the second and third ones of the Controller Container #1instances are being executed on a different Physical Server 3432.Moreover, the diagram 3400 of FIG. 45 illustrates that the logicalController #1 (including the three sub-containers nested therein orpinned thereto) communicate using a set of redundant I/O servers or I/Ocontainers 3440 which are tied to a Remote I/O container 3442. Thediagram 3400 also indicates which of the redundant Controller #1instances is currently operating as the active controller or controllerinstance. If desired, the display 3400 of FIG. 45 could illustrate theparticular hardware elements that are currently implementing theredundant I/O containers 3440, and/or the hardware device that iscurrently executing the remote I/O container 3442. Moreover, thevisualization service 3202 may provide, in the display 3400, any of adesired set of performance indicators for any of the logical or physicalelements depicted therein. Of course, FIG. 45 is but a simple example,and the diagram 3400 of FIG. 45 could be expanded to show any set oflogical elements and the corresponding physical nodes or hardware onwhich these elements are currently running. Additionally, keyperformance and diagnostic indicators may be displayed in the diagram3400 of FIG. 45 for each of the logical elements (and if desired thephysical elements) depicted therein in any desired manner.

FIG. 46 illustrates another visualization or display screen 3500 thatcan be provided by or created by the visualization service 3202 toindicate the current operational configuration and interaction ofvarious logical and physical assets within the plant or control systemas well as various performance and/or diagnostic indicators for eachdisplayed element. The screen display 3500 illustrates a set of logicalelements on the right-hand side including, in this example, a softwaredefined control system container 3502, a batch executive container 3504and a continuous historian container 3506. The diagram or interfacescreen 3500 illustrates that these logical elements are connected via abus 3510 to an I/O server 3512 which is, in turn, coupled to a set offield devices 3514. Moreover, the diagram 3500 illustrates variousdifferent performance indicators 3520 (indicating performance of theelements of the control system as currently running) for each of thelogical elements or containers 3502, 3504, and 3506, including, in thisexample a message per second indicator, a storage utilization indicator,a network bandwidth indicator, and an error rate indicator. Moreover,the diagram 3500 may including, in the list of performance indicators3520, physical elements being used to implement the logical elements,such as an assigned physical node for each of the associated logicalelements. However, this physical assignment indicator could indicateother physical hardware such as a server, a processor, a core, a blade,a power supply, etc. The diagram 3500 illustrates the same performanceand diagnostic indicators for the I/O server container 3512 as well butcould, of course, provide different performance and diagnosticindicators for this or any of the logical elements depicted therein.Still further, the diagram 3500 illustrates performance and diagnosticindicators 3522 for the bus 3510 in the form of a bus bandwidth, messagediagnostics, and error conditions, and additionally indicates thephysical network adapters that make up or that are being implemented asthe bus 3510 over which the containers 3502, 3504, and 3506 are incommunication with the I/O server container 3512 (which may be theactual I/O server). Of course, other performance and diagnosticindicators may be obtained and displayed as well. Thus, again, thevisualization 3500 of FIG. 46 illustrates the manner in which variouslogical elements (containers) are connected and are implemented inphysical hardware which implements these logical elements, and providesdiagnostic or performance indicators for one or both of the logical andphysical elements making up this part of the control system to assist auser in visualizing the operation of the software defined controlsystem.

In each of these examples, the user interface or visualization service3202 may show or illustrate the physical and logical configurations (andif desired associated performance data obtained via various differentdiagnostic services) as these physical and logical elements are beingimplemented by the container orchestrator and the software definednetworking controller which manages all network traffic through thesystem. Moreover, any or all of the visualizations presented in thesediagrams may use color maps to denote particular health levels and mayprovide recommender systems to recommend actions the user should take toalleviate perceived or detected issues within the software definedcontrol system being visualized. Of course, it will be understood thatFIGS. 43-46 illustrate but a few examples of the screens that could beused to display the manner in which various logical and physicalelements are interacting and performing at any particular time duringrun-time of the control system, and that other visualizations could beused instead.

Other Considerations

When implemented in software, any of the applications, modules, etc.described herein may be stored in any tangible, non-transitory computerreadable memory such as on a magnetic disk, a laser disk, solid statememory device, molecular memory storage device, or other storage medium,in a RAM or ROM of a computer or processor, etc. Although the examplesystems disclosed herein are disclosed as including, among othercomponents, software and/or firmware executed on hardware, it should benoted that such systems are merely illustrative and should not beconsidered as limiting. For example, it is contemplated that any or allof these hardware, software, and firmware components could be embodiedexclusively in hardware, exclusively in software, or in any combinationof hardware and software. Accordingly, while the example systemsdescribed herein are described as being implemented in software executedon a processor of one or more computer devices, persons of ordinaryskill in the art will readily appreciate that the examples provided arenot the only way to implement such systems.

Thus, while the present invention has been described with reference tospecific examples, which are intended to be illustrative only and not tobe limiting of the invention, it will be apparent to those of ordinaryskill in the art that changes, additions or deletions may be made to thedisclosed embodiments without departing from the spirit and scope of theinvention.

The particular features, structures, and/or characteristics of anyspecific embodiment may be combined in any suitable manner and/or in anysuitable combination with one and/or more other embodiments, includingthe use of selected features with or without corresponding use of otherfeatures. In addition, many modifications may be made to adapt aparticular application, situation and/or material to the essential scopeor spirit of the present invention. It is to be understood that othervariations and/or modifications of the embodiments of the presentinvention described and/or illustrated herein are possible in light ofthe teachings herein and should be considered part of the spirit orscope of the present invention. Certain aspects of the invention aredescribed herein as exemplary aspects.

What is claimed is:
 1. A method for role-based authorization in asoftware defined process control system (SDCS), the method comprising:obtaining, via a security service executing via a container on a computenode within the software defined process control system (SDCS), arequest to access another service within the SDCS from a user;determining, by the security service, an authorization level of the userbased on the request; determining, by the security service, whether theuser is authorized to access the other service based on theauthorization level; and in response to determining the user isauthorized to access the other service, providing, by the securityservice, the user access to the other service.
 2. The method of claim 2,further comprising: authenticating, via an authentication serviceexecuting via a container on a compute node within the SDCS, the uservia a certificate included in the request, wherein determining theauthorization level includes obtaining the authorization level of theuser from the certificate.
 3. The method of claim 2, whereinauthenticating the user includes determining that the certificateincludes a digital signature by a certificate authority.
 4. The methodof claim 2, wherein the type of certificate assigned to the user isbased on the authorization level of the user, and the security servicedetermines the user's authorization level based on the type ofcertificate included in the request.
 5. The method of claim 1, whereinthe security service provides the user access to the other service in afirst instance, and further comprising: in a second instance, inresponse to determining the user is not authorized to access the otherservice, preventing, by the security service, access to the otherservice.
 6. The method of claim 1, further comprising: determining aminimum threshold authorization level for accessing the other service;and determining that the user is authorized to access the other servicein response to determining that the authorization level for the usermeets or exceeds the minimum threshold authorization level.
 7. Themethod of claim 1, wherein obtaining a request to access another serviceincludes obtaining the request to access the other service from aphysical or logical asset of the process plant which is controlled bythe user.
 8. A software defined process control system (SDCS) to controlan industrial process in a process plant, the SDCS comprising: acertificate authority service executing via a container on a computenode of the SDCS to: obtain a request for a certificate from a physicalor logical asset of the process plant utilized during run-time of theprocess plant to control at least a portion of the industrial process,the request including identification information for the physical orlogical asset; verify an identity of the physical or logical asset basedon the identification information; generate a certificate for thephysical or logical asset including a cryptographic public key for thephysical or logical asset, an identifier for the certificate authorityservice, and a digital signature for the certificate authority serviceto prove that the certificate has been generated by the certificateauthority service; and provide the certificate to the physical orlogical asset to be used to authenticate the physical or logical assetwhen interacting with other services of the SDCS.
 9. The SDCS of claim8, further comprising: an authentication service executing via acontainer on a compute node of the SDCS to: obtain a request toauthenticate the physical or logical asset in response to a request bythe physical or logical asset to access another service of the SDCS;obtain the certificate assigned to the physical or logical asset;authenticate the physical or logical asset by determining that thecertificate includes a digital signature by a certificate authority; andprovide an indication that the physical or logical asset isauthenticated for accessing the other service.
 10. The SDCS of claim 9,further comprising an encryption service executing via a container on acompute node of the SDCS to: receive data from the other service of theSDCS; encrypt the data using the public cryptographic key for thephysical or logical asset; and provide the encrypted data to thephysical or logical asset.
 11. A method for authenticating a physical orlogical asset of a process plant, the method comprising: obtaining, by asecurity service executing via a container on a compute node within asoftware defined process control system (SDCS), a request from thephysical or logical asset of the process plant to access another serviceexecuting via a container on a compute node within the SDCS, the requestincluding a certificate, wherein the physical or logical asset of theprocess plant is utilized during run-time of the process plant tocontrol at least a portion of the industrial process; verifying, by anauthentication service executing via a container on a compute node ofthe SDCS, authenticity of the physical or logical asset based on thecertificate; and providing, by the security service, access to the otherservice in response to verifying authenticity of the physical or logicalasset.
 12. The method of claim 11, further comprising: obtaining, by thesecurity service, a cryptographic public key for the physical or logicalasset from the certificate; encrypting, by the security service, datafrom the other service using the cryptographic public key; andproviding, by the security service, the encrypted data to the physicalor logical asset.
 13. The method of claim 11, further comprising:determining, by the security service, an authorization level of a usercontrolling the physical or logical asset based on the request; anddetermining, by the security service, whether the user is authorized toaccess the other service based on the authorization level; wherein thesecurity service provides access to the other service in response todetermining the user is authorized to access the other service andverifying the authenticity of the physical or logical asset.
 14. Themethod of claim 13, wherein determining whether the user is authorizedto access the other service based on the authorization level includes:determining a minimum threshold authorization level for accessing theother service; and determining that the user is authorized to access theother service in response to determining that the authorization levelfor the user meets or exceeds the minimum threshold authorization level.15. The method of claim 11, wherein verifying authenticity of thephysical or logical asset includes determining that the certificateincludes a digital signature by a certificate authority.